Hi there,
We have Splunk forwarder deployed on a Windows server and inputs.conf is configured with two log sources.
[default]
host = test_OP_CBE_AUX1
[monitor://C:\ClearPath\logs]
whitelist = [\\]cpe2Pims-\d\d\d\d_\d\d_\d\d\.log$
index = pb
sourcetype = json
recursive = false
disabled = false
[monitor://C:\ClearPath\logs\CatalogUpdater]
whitelist = [\\]UnclassifiedExtractor_splunk\.log
index = pb
sourcetype = json
recursive = false
disabled = false
However, we are seeing logs forwarded to Splunk indexer only from [monitor://C:\ClearPath\logs] and other source [monitor://C:\ClearPath\logs\CatalogUpdater] does not forward the logs.
If set disable to "true" for [monitor://C:\ClearPath\logs] -- we immediately see logs being forwarded from [monitor://C:\ClearPath\logs\CatalogUpdater]
This is not a licensing issue. Any inputs on what's causing this issue will be greatly appreciated.
Cheers,
Pam
↧