My inputs.conf is configured to monitor a directory with may different subfolders, and each contains different types of log files. Is there a way I can make crcSalt only apply to a certain subfolder or file type?
For example, here is my inputs.conf entry:
[monitor://c:\var\log\data\] disabled = false index = logdata
If I add
crcSalt = <SOURCE> here, it will apply to all input files within the c:\var\log\data folder. But what if I only want it to apply to files in the the c:\var\log\data\program subfolder? (I have too many subfolders to define inputs.conf entries for each one).
Is there a way I can make crcSalt only apply to a specific folder or file within my input directory?
If you want to monitor a specific file type you need to give the recursive option from parent directory. This will monitor the file type in all the subfolders.
[monitor://E:\...\foo\*.log] recursive = true|false If set to false, Splunk will not go into subdirectories found within a monitored directory. Defaults to true.
If you need to monitor a specific subfolder then you have to mention it or the pattern so splunk understands. Please follow this for the options. I am not sure why would you want to use crcSalt, but in your case it will be crcSalt=Source/Any string.
In case I was not clear, my input is already recursive and that is intended.
Basically, I want my inputs to be recursive, but crcSalt to not be recursive. For example:
\var\log\data\* NO crcSalt
\var\log\data\program1 YES crcSalt
\var\log\data\program2 NO crcSalt
Unfortunately you have to make two groups where you want to apply crcSalt and where you dont. May be some other solution may work. You need to match the sub directory pattern through wildcard and put in some effort, but i am not sure how would it be possible to apply it.
Without getting into why you want to use crcSalt(which is needed only for very specific use cases), you can't do something like what you're describing at the parent level. As such, you'd need to remove the parent level monitor stanza and configure the monitor stanza's for the children ONLY, otherwise you'll end up with overlapping stanzas, which will result in inputs treated inconsistently, as per the documentation.
So what you'd need to do would be:
[monitor://c:\var\log\data\program1] disabled = false index = logdata [monitor://c:\var\log\data\program2] disabled = false crcSalt = <SOURCE> index = logdata
This is the only way to achieve the configuration you're describing in a manner that will result in reliable behavior.
That's what I figured, but I was hoping there was another way. My environment has so many subfolders, that it would be difficult to maintain separate inputs.conf entries for each of them, which is why I have the recursive parent input.