I need help with setting these wild cards, it seems like Splunk is not picking up the file in the sub folders. Logs are in:
/opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/year/month/day/day/APP-blah-blah-bhal-LOG
There is data in the sub folder in /year/month/day/day
/, and then there are the file names that seem random, but start with APP and end with LOG.
Below is what I have set up and no data is coming in.
[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../.../.../.../APP*LOG]
disabled = false
recursive = false
sourcetype = blah
index = foofooblahhhhhh
The three dots are already recursive, so you should be able to try:
[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]
And have it work correctly. It's possible the multiples of those are throwing off the parser.
The three dots are already recursive, so you should be able to try:
[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]
And have it work correctly. It's possible the multiples of those are throwing off the parser.
Also set recursive to true, or else Splunk won't monitor sub-directories at all.
Also you may want to change the last bit so its (BEGINNING)*.LOG
(or w/e the file extension is if there is one), so for example APP*.LOG
. However if it's just a plain file (no extension) then your way should be fine.