https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108350#M22798 <P>I know this question has been asked numerous times before, because I've read most of the questions and answers. I still can't seem to get it right, no matter what I try. We have several Windows servers running JBoss. The folder structure is similar to the following...</P> <PRE><CODE>D:\jboss\server\&lt;ContainerName&gt;\log\ access.2011-05-24.log app.log boot.log stderr.log stdout.log </CODE></PRE> <P>So, the goal is to pull access.YYYY-MM-DD.log as sourcetype=access_common and everything else as sourcetype=log4j. Ideally, I'd like to be able to create a JBoss server class and push a generic configuration out to all of our JBoss servers to pull the logs.</P> <P>I've tried several different things, but nothing seems to work as expected. I've tried using simple regular expressions in the [monitor] stanzas as suggested in one answer and I've tried a very general [monitor:] stanza pointing at the directory with accompanying [source::] stanzas to filter the file names and specify sourcetypes in props.conf. I've tried more than that, but those two seemed to be the most promising. I've used <A href="https://servername:8089/services/admin/inputstatus/TailingProcessor:FileStatus">https://servername:8089/services/admin/inputstatus/TailingProcessor:FileStatus</A> to verify the files are being read, but they don't seem to be getting indexed, or they don't have the expected sourcetype if they are.</P> <P>I know things have changed from version to version in Splunk and maybe the problem is that I'm trying things that don't work anymore. Can someone set me straight?</P> <P>My current configuration is as follows...</P> <P>inputs.conf:</P> <PRE><CODE># # JBoss - Common Log Files # [monitor://D:\jboss\server\*\log\*.log] index = fod-web </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[source::...\\access\.\d{4}-\d{2}-\d{2}\.log$] sourcetype = access_common [source::...\\(?!access)[\w-_.]+\.log$] sourcetype = log4j </CODE></PRE> Tue, 24 May 2011 16:07:32 GMT jheilman 2011-05-24T16:07:32Z https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108350#M22798 <P>I know this question has been asked numerous times before, because I've read most of the questions and answers. I still can't seem to get it right, no matter what I try. We have several Windows servers running JBoss. The folder structure is similar to the following...</P> <PRE><CODE>D:\jboss\server\&lt;ContainerName&gt;\log\ access.2011-05-24.log app.log boot.log stderr.log stdout.log </CODE></PRE> <P>So, the goal is to pull access.YYYY-MM-DD.log as sourcetype=access_common and everything else as sourcetype=log4j. Ideally, I'd like to be able to create a JBoss server class and push a generic configuration out to all of our JBoss servers to pull the logs.</P> <P>I've tried several different things, but nothing seems to work as expected. I've tried using simple regular expressions in the [monitor] stanzas as suggested in one answer and I've tried a very general [monitor:] stanza pointing at the directory with accompanying [source::] stanzas to filter the file names and specify sourcetypes in props.conf. I've tried more than that, but those two seemed to be the most promising. I've used <A href="https://servername:8089/services/admin/inputstatus/TailingProcessor:FileStatus">https://servername:8089/services/admin/inputstatus/TailingProcessor:FileStatus</A> to verify the files are being read, but they don't seem to be getting indexed, or they don't have the expected sourcetype if they are.</P> <P>I know things have changed from version to version in Splunk and maybe the problem is that I'm trying things that don't work anymore. Can someone set me straight?</P> <P>My current configuration is as follows...</P> <P>inputs.conf:</P> <PRE><CODE># # JBoss - Common Log Files # [monitor://D:\jboss\server\*\log\*.log] index = fod-web </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[source::...\\access\.\d{4}-\d{2}-\d{2}\.log$] sourcetype = access_common [source::...\\(?!access)[\w-_.]+\.log$] sourcetype = log4j </CODE></PRE> Tue, 24 May 2011 16:07:32 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108350#M22798 jheilman 2011-05-24T16:07:32Z https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108351#M22799 <P>Could you paste the configuration you are using to try and do your sourcetyping? Also, you may want to review the following, there are some pretty good example configurations:</P> <P><A href="http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/">http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/</A></P> <P>I think you should be using:</P> <P>[source::…\access.\d{4}-\d{2}-\d{2}.log$]</P> <P>and </P> <P>[source::...\(?!access)[\w+.log$]</P> Tue, 24 May 2011 17:00:50 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108351#M22799 jbsplunk 2011-05-24T17:00:50Z https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108352#M22800 <P>I updated the original question with the configuration I'm using currently.</P> Wed, 25 May 2011 14:19:05 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-sourcetypes-in-the-same-directory/m-p/108352#M22800 jheilman 2011-05-25T14:19:05Z