Solved: How to monitor two different sourcetypes in the sa...

rubeniturrieta · ‎12-29-2014

Hello to all,

I have a directory (logs/wsa/) and i'm sending a lot of files, but with two different sourcetypes (cisco:wsa:squid, and cisco:wsa:w3c)
I have an input for cisco:wsa:squid in inputs.conf, with /logs/wsa, but i need w3c too. How can I do this?,

Any help, will be very helpful

Thanks

jayannah · ‎12-29-2014

You can refer to several examples for specifying inputs file with wildcards at http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards

View solution in original post

jayannah · ‎12-29-2014

You can refer to several examples for specifying inputs file with wildcards at http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards

esix_splunk · ‎12-29-2014

You can create another monitor statement for that directory and set the sourcetype on the files. You can either use a regex for the file name or a combination of whitelists / blacklists. Refer to the spec file for inputs.conf:

http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Inputsconf

How to monitor two different sourcetypes in the same directory?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!