Globbing rules of monitor inputs can be tricky. https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#MONITOR: I'd point the input to the whole directory (without wildcards) and set the whitelist to *.log files. (If you don't have any other files in those directories, you can skip the whitelist altogether. [monitor://D:\Logs\Syslog\Logs\switch] sourcetype = syslog-switch disabled = false whitelist = .*\.log
... View more