Configuration to forward log files to separate ind...

nissanse98 · ‎07-16-2014

Hello!

I have an application that sends two different .log files to the C:\\Program Files (x86)\\Application\_Data directory. The log files are

AAAAAA_MM_DD_YYYY_HH_mm_ss.log and BBBBB_MM_DD_YYYY_HH_mm_ss.log.

I need each log file to go to a separate index in Splunk and have the following inputs.conf configuration:

NOTE: Had to change "Program Files (x86)" to "PROGRA~2"....that took forever to figure out! Geez.

[monitor:///C:\\PROGRA~2\\Application\_Data\\AAAAAA*.log]
index=AAAAA_gui
disabled=false
sourcetype=AAAAA_gui.log

[monitor:///C:\\PROGRA~2\\Application\_Data\\BBBBB*.log]
index=BBBBB_app
disabled=false
sourcetype=BBBBB_app.log

If I remove one stanza, the remaining stanza forwards the appropriate data. If they are both in the inputs.conf, none are sent to splunk.

I've tried blacklist and whitelist on each.

lguinn2 · ‎07-16-2014

I think that because these have wildcards, the monitor stanzas are "overlapping" in some way. So I would recommend this:

On the forwarder(s):

inputs.conf

[monitor:///C:\PROGRA~2\Application\_Data\]
whitelist=AAAAAA.*\.log$ | BBBBB.*\.log$
disabled=false

props.conf

[source::C:\PROGRA~2\Application\_Data\AAAAA*.log]
sourcetype=AAAAA_gui.log

[source::C:\PROGRA~2\Application\_Data\BBBBB*.log]
sourcetype=BBBBB_app.log

On the Splunk indexer(s):

props.conf

[AAAAA_gui.log]
TRANSFORMS-AAAAA=send_to_index_AAAAA_gui

[BBBBB_app.log]
TRANSFORMS-BBBBB=send_to_index_BBBBB_app

transforms.conf

[send_to_index_AAAAA_gui]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=AAAAA_gui

[send_to_index_BBBBB_app]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=BBBBB_app

lguinn2 · ‎07-17-2014

Are the files appearing in any index?

nissanse98 · ‎07-16-2014

I appreciate the help; sorry for the several comments....I do not understand why there would be a character limit for replies in the forum............

nissanse98 · ‎07-16-2014

I restarted the forwarder service.
On the splunk server/indexer:
props.conf was not located at:C:\\Program Files\\Splunk\\etc\\system\\local, so I created it as follows:

[AAAAA_gui.log]
TRANSFORMS-AAAAA=send_to_index_AAAAA_gui
[BBBBB_app.log]
TRANSFORMS-BBBBB=send_to_index_BBBBB_app

Additionally, transforms.conf was no in the C:\\Program Files\\Splunk\\etc\\system\\local, so I created it as follows:

[send_to_index_AAAAA_gui]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=AAAAA_gui
[send_to_index_BBBBB_app]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=BBBBB_app

nissanse98 · ‎07-16-2014

No Success yet:
inputs.conf: C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\local

[default]
host = xxxxxx
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor:///C:\\PROGRA~2\\Application\_Data\]
whitelist=AAAAAA..log$ | BBBBB..log$
disabled=false

props.conf was not in the "C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\local" so I created it exactly as below:
[source::C:\\PROGRA~2\\Application\_Data\\AAAAA*.log]
sourcetype=AAAAA_gui.log
[source::C:\\PROGRA~2\\Application\_Data\\BBBBB*.log]
sourcetype=BBBBB_app.log