Solved: inputs.conf wildcards don't work

tony_luu · ‎07-12-2013

=== Splunk 5.0.2 ===

I'd like to monitor these files, where "manydirs" is a wildcard:

/my/path/manydirs/error/*.log

so, my monitor stanza looks like this:

[monitor:///my/path/*/error/]
disabled = false
index = myindex
sourcetype = myerrors
recursive = false

also tried this:

[monitor:///my/path/*/error/*.txt]

splunk list monitor shows the correct path.
and no TailingProcessor errors
Yet nothing got indexed.
The doc sounds pretty straight forward but didn't work.
Very frustrated. Please help.

Thanks, Tony.

okrabbe_splunk · ‎07-12-2013

You need to use ... to recurse multiple levels of directories.

[monitor:///my/path/.../error/*.log]
disabled = false
index = myindex
sourcetype = myerrors

View solution in original post

tony_luu · ‎07-15-2013

Gotta clarify my problem.
I don't want recursive, but rather many different directories at the same level where '' is,

i.e

/my/path/core/error/.log

/my/path/supp/error/.log

/my/path/misc/error/.log

...

I guess i could use the recursive '...' route, but even that didn't work for me.

landen99 · ‎11-24-2016

why did you make it your accepted answer then?

okrabbe_splunk · ‎07-12-2013

You need to use ... to recurse multiple levels of directories.

[monitor:///my/path/.../error/*.log]
disabled = false
index = myindex
sourcetype = myerrors

inputs.conf wildcards don't work

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes