Howdy!
I have been wracking my head around this for the past few days and cannot seem to figure it out. For testing purposes I/we have a "Test" splunk indexer and a "production" splunk indexer that has been setup recently.
The test Splunk Indexer is older, and has been properly indexing the forwarders log data. The new setup/indexer is not.
In the forwarder inputs.conf I have the following:
[monitor:///mt/tomcat/logs/*.(log|err)]
sourcetype = log4j
alwaysOpenFile=1
crcSalt = <SOURCE>
ignoreOlderThan = 7d
disabled = false
whitelist = \.(log|err)$
blacklist = \.zip
On the "Test" Splunk Indexer if the following query is ran:
error OR ftp OR com.mt.utils.FTP host="somehostname" (this has been simplified for posterity)
Search results are as expected. On the other instance nothing turns up or it looks like it cant retreive any data prior to the initial setup date.
Any assistance anyone can give would be helpful.
Thanks!