https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306074#M57732 <P>If the different log types are going to different indexes, then yes, you will need 30 different configs. But if the only difference will be the sourcetype, you could do an override in props.conf. You still have to configure all the different configs, but it might be easier to do. Take a look at this:</P> <P><STRONG>inputs.conf</STRONG><BR /> [monitor:///mnt/log/files/]<BR /> whitelist=.gz$<BR /> host_segment=7<BR /> index=webserver</P> <P><STRONG>props.conf</STRONG><BR /> [source::/mnt/log/files/.../access.gz]<BR /> sourcetype=access:apache</P> <P>[source::/mnt/log/files/.../otherthing.gz]<BR /> sourcetype=st_otherthing</P> <P>etc.</P> Thu, 16 Feb 2017 14:44:11 GMT lguinn2 2017-02-16T14:44:11Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306073#M57731 <P>I am trying to onboard ingest about 30 different log type from a single Source (Linux Server)</P> <P>Currently the logs are being written and zipped by rsyslog in a particular folder (structure below):<BR /> /mnt/log/files/YYYY/MM/DD/hostname/filename.log.gz</P> <P>What would be the best way to ingest the different logtypes</P> <P>I was thinking about the following:</P> <P>[monitor:///mnt/log/files/<EM>/</EM>/<EM>/</EM>/]<BR /> host_segment=7<BR /> whitelist=(.+\access.gz)<BR /> index=webserver<BR /> sourcetype=access:apache</P> <P>Not sure why the asterisks are not showing up on the preview; <BR /> it should be <STRONG>/mnt/log/files/aster*/aster*/aster*/aster*/</STRONG></P> <P>I was also thinking to ingest all 30 log types I would need to create 30 different configs?</P> Tue, 29 Sep 2020 12:54:16 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306073#M57731 plumainwfs 2020-09-29T12:54:16Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306074#M57732 <P>If the different log types are going to different indexes, then yes, you will need 30 different configs. But if the only difference will be the sourcetype, you could do an override in props.conf. You still have to configure all the different configs, but it might be easier to do. Take a look at this:</P> <P><STRONG>inputs.conf</STRONG><BR /> [monitor:///mnt/log/files/]<BR /> whitelist=.gz$<BR /> host_segment=7<BR /> index=webserver</P> <P><STRONG>props.conf</STRONG><BR /> [source::/mnt/log/files/.../access.gz]<BR /> sourcetype=access:apache</P> <P>[source::/mnt/log/files/.../otherthing.gz]<BR /> sourcetype=st_otherthing</P> <P>etc.</P> Thu, 16 Feb 2017 14:44:11 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306074#M57732 lguinn2 2017-02-16T14:44:11Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306075#M57733 <P>It would most probably be about 4-5 different indexes<BR /> Best way to do this would be with the inputs as so.. <BR /> <STRONG>inputs.conf</STRONG><BR /> [monitor:///mnt/log/files/]<BR /> whitelist=.gz$<BR /> host_segment=7<BR /> index=webserver</P> <P>[monitor:///mnt/log/files/]<BR /> whitelist=.gz$<BR /> host_segment=7<BR /> index=webapp</P> <P>All 30 log types would be defined as separate sourcetype<BR /> so best way do to this would be with the props.conf as you outlined?<BR /> <STRONG>props.conf</STRONG><BR /> [source::/mnt/log/files/.../access.gz]<BR /> sourcetype=access:apache</P> <P>[source::/mnt/log/files/.../error.gz]<BR /> sourcetype=st_otherthing </P> Thu, 16 Feb 2017 15:47:28 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306075#M57733 plumainwfs 2017-02-16T15:47:28Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306076#M57734 <P>Also what happens to a gz file that I am not aware of? will that get indexed? and will not have a pre-defined sourcetype?</P> Thu, 16 Feb 2017 18:28:45 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-help/m-p/306076#M57734 plumainwfs 2017-02-16T18:28:45Z