I have multiple servers running a Splunk 6.2.5 universal forwarder and it is indexing recursively just fine from /var/log/...
I just installed 6.3, using the exact same install script (very vanilla, nothing fancy), and it is not indexing anything other than /var/log/. Both are running RHEL 6.7.
I tried adding 'recursive = true' but that had no effect.
inputs.conf are identical on both:
[monitor:///var/log]
disabled = false
index = main
I also tried adding a second stanza:
[monitor:///var/log/squid]
disabled = false
index = main
recursive = true
sourcetype = squid
This is especially concerning since this is a proxy server (/var/log/squid/) and it's missing the most important stuff! I would go back to 6.2.5 but I just purged all my older sources... :-\
Am I missing something?
thanx!
↧