Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After upgrading from Splunk 6.1.3 to 6.2.1, why did universal forwarders stop sending logs that were specified with wildcards in the inputs.conf monitor stanzas?

mikehodges01
Explorer
‎04-13-2015 01:36 PM

I upgraded from 6.1.3 to 6.2.1 recently and noticed that some of my universal forwarders stopped sending certain logs. Upon further inspection, I noticed that it stopped sending logs that were specified with wildcards in the folder name, eg, c:\folder*logs\logs\*. In splunkd.log I see that it adds a watch on path c:\. I know that Splunk is supposed to parse c:\folder*logs\logs\* into something along the lines of

[monitor://c:\]
whitelist = folder*logs\logs\*

but this doesn't seem to be working anymore. I had to specify actual folder names to get it to work. Does anyone have any ideas? Or am I just crazy? Thanks!

0 Karma
Reply

mikebd
Path Finder
‎06-21-2015 02:45 AM

Did you try explicitly setting recursive = true?
Reference: Inputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...