In my inputs.conf, I have:
[monitor://cust/http*/web-*/var/log/modsec-audit.log*]
[monitor://cust/http*/web-*/var/log/*access.log*]
[monitor://cust/jboss-as*/server/app-*/log/server.log]
Why did I get these errors:
08-19-2011 01:02:15.148 +0000 ERROR TailingProcessor - Unable to resolve path
for symlink: /cust/soe/usr.bak.2010-10-19T051247/man/it/man1/view.1.
08-19-2011 01:02:15.149 +0000 ERROR TailingProcessor - Unable to resolve path
for symlink: /cust/soe/usr.bak.2010-10-19T051247/man/it/man1/vim.1.
08-19-2011 01:02:15.151 +0000 ERROR TailingProcessor - Unable to resolve path
for symlink: /cust/soe/usr.bak.2010-10-19T051247/man/it/man1/vimdiff.1.
08-19-2011 01:02:15.153 +0000 ERROR TailingProcessor - Unable to resolve path
for symlink: /cust/soe/usr.bak.2010-10-19T051247/man/it/man1/vimtutor.1.
08-19-2011 01:02:15.155 +0000 ERROR TailingProcessor - Unable to resolve path
for symlink: /cust/soe/usr.bak.2010-10-19T051247/man/it/man1/xxd.1.
I didn't ask Splunk to monitor /cust/soe/ directories.
The tailing processor is going to list ALL files in ALL directories located in /cust. This is how Splunk understand the stanza, for example, /cust/http*/web/file.log is equal to find /cust | grep "/cust/http*/web/file.log". If there are not that many files, you can have these stanza instead, in this example, /cust/http1/web/ and /cust/http2/web/
It should explain why Splunk is stating so many files that you don't need it to.
The tailing processor is going to list ALL files in ALL directories located in /cust. This is how Splunk understand the stanza, for example, /cust/http*/web/file.log is equal to find /cust | grep "/cust/http*/web/file.log". If there are not that many files, you can have these stanza instead, in this example, /cust/http1/web/ and /cust/http2/web/
It should explain why Splunk is stating so many files that you don't need it to.