Getting Data In

Can multiple sourcetypes be monitored from the same path

tim9gray
Explorer

I know that this question has been asked quite a few times, but I have not been able to resolve this. Can I monitor multiple sourcetypes from the same path? The answer seems to be yes, but this just wont work for me.

If I specify two monitors that reference the same directory, I only get data from the second monitor stanza in my inputs.conf. I suspect there is something subtle happening here I have not picked up on. Does anyone have any suggestions? Below is an example
of the inputs.conf I have been using.

[monitor:///home/bob/time_data.csv]
sourcetype = DGC_TIME
index=main

[monitor:///home/bob/pulse_data.csv]
sourcetype = DGC_PULSE
index=main

0 Karma

HiroshiSatoh
Champion

I tried in the same setting, but it went well. This is version 5.0.3 of the Linux.

However, it failed the wrong character encoding of the CSV file first.

0 Karma

kristian_kolb
Ultra Champion

To find out what the TailingProcessor is (not) doing, you can look in the splunkd.log or perhaps more easily query the REST interface directly:

Go to the machine where the inputs.conf file is at (forwarder or indexer). You need to authenticate with the correct admin password for that instance (admin/changeme) if still at default.

https://your_host:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Scroll down until you find your file and the corresponding status message.

This link may also be helpful;

http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

/K

tim9gray
Explorer

I figured it out. The files I was interested in all started with exactly the first eleven lines, so Splunk thought they were all the same file. I had to use the crcsalt option in inputs.conf.

0 Karma

gfuente
Motivator

Hello

For sure you can do that, and for your particular problem, i would check file permissions, as your configuration appears to be fine.

Regards

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...