I'm watching a directory. Let's say it is /foo. The files are in subdirectories: /foo/archive/2010-11/ /foo/archive/2010-10/ /foo/archive/2010-09/
It doesn't appear Splunk is looking recursively to find those subdirectories. Do I need to add every individual month to Splunk? What are my options?
One thought is I could modify the archive script to put a copy of the file in the spool directory, but that means the index isn't "hard set" like it is on that monitored directory. What else? Perhaps I could have Splunk watch /foo/incoming, I'll copy it there and Splunk could read and delete it from that directory?
I think "..." is what I need for recursion. The inputs.conf doesn't make it clear- would the following monitor work: [monitor:///foo/...]
Or this? [monitor:///foo/.../*]
There is a setting for recursion in the inputs.conf file:
http://www.splunk.com/base/Documentation/latest/admin/Inputsconf
recursive = true|false
* if false, will not go into subdirectories found within a monitored directory
* defaults to true
This must be applied under your specific inputs stanza for the monitored directory. I suspect you should have a setting as follows:
[monitor:///foo*]
There is a setting for recursion in the inputs.conf file:
http://www.splunk.com/base/Documentation/latest/admin/Inputsconf
recursive = true|false
* if false, will not go into subdirectories found within a monitored directory
* defaults to true
This must be applied under your specific inputs stanza for the monitored directory. I suspect you should have a setting as follows:
[monitor:///foo*]
shouldn't the setting be closer to one of these?
[monitor:///foo/]
[monitor:///foo/*]