As someone new to Splunk would appreciate some guidance - whilst I had some success in that an inputs and outputs have been configured and I can now search data in the GUI - it appears data has stopped being forwarded / consumed, the last event is Wed May 15 13:58:52 2013
However I can see the log files are still being updated and the data is constantly being added too.
Is my configuration in inputs wrong?
[monitor:///crd/ua1/mtusr10/91/serverapps/logs] whitelist = cr_server.html$ disabled = false crcSalt = <source> index = crd_index
[monitor:///crd/ua1/mtusr11/91/serverapps/logs] whitelist = cr_server.html$ disabled = false crcSalt = <source> index = crd_index
[monitor:///crd/ua1/mtusr11/91/serverapps/logs] whitelist = cr_server.html$ disabled = false crcSalt = <source> index = crd_index
Extract from splunkd on forwarder;
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///crd/ua1/mtusr11/91/serverapps/logs. 05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Adding watch on path: /crd/ua1/mtsys10/91/serverapps/logs.
Appreciate any help or guidance on things to check?