I've been messing about with this for a while now and I can't seem to figure out the rhyme or reason behind how wildcards work in the Splunk inputs.conf file. I'm trying to pull in logs from PingFederate... logs are in this directory:
E:\PingFederate-Engine\log
Logs would look like:
server.log
server.log.1
server.log.2
splunk-audit.log
splunk-audit.2016-01-19.log
splunk-audit.2016-01-20.log
I want to process the server.log file as well as the rollovers but none of my wildcards work. In my mind this should work... but it doesn't pull any files at all:
[monitor://E:\PingFederate-Engine\log\server*.log*]
index = pingfederate_server
[monitor://E:\PingFederate-Engine\log\splunk_audit*.log]
index = pingfederate_splunk_audit
Any idea what the trick is behind these wildcards?
↧