https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152823#M31129 <P>As per the documentation, wildcard usage is not supported.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI</A></P> Tue, 11 Aug 2015 17:47:54 GMT weeb 2015-08-11T17:47:54Z https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152820#M31126 <P>Given this in the props.conf on my indexer:</P> <P>[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\ws_ftp.log]<BR /><BR /> sourcetype = wsftp_log</P> <P>[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\*.rtf]<BR /><BR /> sourcetype = wsftp_session</P> <P>[wsftp_log]<BR /><BR /> TIME_PREFIX = ^<BR /><BR /> TIME_FORMAT = %Y\.%m\.%d %H:%M<BR /><BR /> MAX_TIMESTAMP_LOOKAHEAD = 19<BR /><BR /> SHOULD_LINEMERGE = FALSE<BR /><BR /> LINE_BREAKER = ([\n\r]+)(?=\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}}<BR /><BR /> TRUNCATE = 99999</P> <P>[wsftp_session]<BR /><BR /> TIME_PREFIX = ^\cf2 \[<BR /><BR /> TIME_FORMAT = %Y\.%m\.%d %H:%M:%S\.%3N<BR /><BR /> SHOULD_LINEMERGE = FALSE<BR /><BR /> MAX_TIMESTAMP_LOOKAHEAD = 30<BR /><BR /> LINE_BREAKER = ([\n\r]+)(?=^\cf2\s\[)<BR /><BR /> TRUNCATE = 999999</P> <P>When I run this:</P> <P>$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -index testing </P> <P>OR</P> <P>$SPLUNK_HOME/bin/splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\salem_file1.rtf" -index testing</P> <P>It doesn't identify the sourcetype at all.</P> <P>Why?</P> Mon, 05 May 2014 16:02:20 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152820#M31126 tyronetv 2014-05-05T16:02:20Z https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152821#M31127 <P>Maybe it has something to do with the wildcard in the source name. Did you try specifying the sourcetype in the command?</P> <P><CODE>$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -sourcetype wsftp_log -index testing</CODE></P> Mon, 05 May 2014 17:22:33 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152821#M31127 lukejadamec 2014-05-05T17:22:33Z https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152822#M31128 <P>Of course I can identify the sourcetype via the command line. The test was to check whether the props.conf on the indexer would do the identification so I can deploy an app to gather these logs from various machines and various users (hence the * in the path).</P> Tue, 06 May 2014 15:14:48 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152822#M31128 tyronetv 2014-05-06T15:14:48Z https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152823#M31129 <P>As per the documentation, wildcard usage is not supported.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI</A></P> Tue, 11 Aug 2015 17:47:54 GMT https://community.splunk.com/t5/Getting-Data-In/source-type-identification-in-props-conf/m-p/152823#M31129 weeb 2015-08-11T17:47:54Z