Hello Splunkers.
I have an issue that I've been dealing with for the past 2 days but no success in solving it.
I'm working on a Splunk cluster environment, 3 SH and 2 IDX.
I have an UF installed in a SunOS machine.
This UF monitors a file called runlog.098880020 (the number is actually just an ID, it doesn't really matters).
This log can be found at the path `/export/tsi/tsi/tsiout.1509/runlog.098880020`
The thing is: the application creates a new folder every month (tsiout.1505, tsiout.1506, tsiout.1507, tsiout.1508, tsiout.1509....)
this is how I've setted my inputs.conf:
[monitor:///export/home/tsi/tsi/.../runlog*]
index = tsi
sourcetype = tsi_logs
However when Splunk starts to indexing the files, it indexes only a few folders (e.g., tsiout.1406 and tsiout.1409).
If I set my inputs.conf as following, I can see the current log beeing indexed:
[monitor:///export/home/tsi/tsi/tsiout.1509/runlog*]
index = tsi
sourcetype = tsi_logs
Do you guys know why this is happening?
Shouldn't the `...` tell Splunk to search in every folder for the runlog* file?
Thank you guys!
Regards!
↧