I have my inputs.conf as follows on a linux env.
[monitor:///mydomain/logs/project/mytestlogs*.txt]
blacklist = .(gz)$
whitelist = mytestlogs[1-4]{1}.txt
disabled = false
followTail = 0
recursive = false
sourcetype = mydlogs
index = mydindex
however, when the splunk process starts up, it shows errors like
ERROR TailingProcessor - matching /mydomain/logs/project/club/ against ^/mydomain/logs/project/myestlogs[^/]*.txt$
why it is looking at subdirectory, when recursive is set to false? how to avoid these ones?
Hi lakshman237
The docs http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Inputsconf say about recursive:
recursive = [true|false]
* If false, Splunk will not monitor subdirectories found within a monitored directory.
* Defaults to true.
but as in your stanza you are monitoring a file and not a directory.
Since you use black- and whitelists; What happens, if you change your monitor stanza to match only the path but not a wildcarded file?
Verify your settings with splunk list monitor
and checked the result?
cheers,
MuS
Thanks MuS. I can change the monitor stanza to look at the directory and change the whitelist to allow it. I'll test that out. The reason i had them separately, was there a lot of files on that directory, i wanted them get handful of them to a given sourcetype and others to another... ( possibily this could also be controlled via whitelist)