Hello to all,
I have a directory (logs/wsa/) and i'm sending a lot of files, but with two different sourcetypes (cisco:wsa:squid, and cisco:wsa:w3c)
I have an input for cisco:wsa:squid in inputs.conf, with /logs/wsa, but i need w3c too. How can I do this?,
Any help, will be very helpful
Thanks
You can refer to several examples for specifying inputs file with wildcards at http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards
You can refer to several examples for specifying inputs file with wildcards at http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards
You can create another monitor statement for that directory and set the sourcetype on the files. You can either use a regex for the file name or a combination of whitelists / blacklists. Refer to the spec file for inputs.conf:
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Inputsconf