Hi All,
I am trying to monitor a logfile which is generated in a path every day at 23:55 from a python script. My problem here is the file name of the log file changes everyday as the script is appending date to the file name.
Eg: Today the file name is "eswitch_16122019_235501_7000.log"
Tomorrow the file name will be "eswitch_17122019_235501_7000.log"
My inputs.conf is as below
[monitor:///opt/home/splunk_eswitch/eswitch_*.log]
disabled = false
index = test2
sourcetype = eswitch
Now when I run splunk list monitor I am seeing a below
/opt/home/splunk_eswitch/eswitch_*.log
/opt/delphi/splunk_eswitch/eswitch_16122019_235501_7000.log
My question is tomorrow does the forwarder sends the newly created file log to indexer with any issue as the yesterday's file will not be present in the same path.
Is there any better regex to have in inputs.conf then above one
↧