We wonder whether [monitor:///<source>/logs/*.log]
would monitor all log files in the <source>/logs
directory and also in sub-directories under <source>/logs
, such as <source>/logs/2016121404
.
We wonder whether [monitor:///<source>/logs/.../*.log]
would get the data from both areas...
If you want to monitor all logs in the /source/logs directory, you can simply do this
[monitor:///source/logs/]
whitelist=\.log$
I think that is the cleanest and easiest to understand. But this should do the same thing
[monitor:///source/logs/.../*.log]
In either case, Splunk will walk the entire directory tree, starting from /source/logs, and index any file it finds where the file path ends in ".log"
If you want to monitor all logs in the /source/logs directory, you can simply do this
[monitor:///source/logs/]
whitelist=\.log$
I think that is the cleanest and easiest to understand. But this should do the same thing
[monitor:///source/logs/.../*.log]
In either case, Splunk will walk the entire directory tree, starting from /source/logs, and index any file it finds where the file path ends in ".log"
Gorgeous!!