I have a directory /logdir and it contains various types of files, such as apache logs, syslog files, local applications logs and so on.
Splunk 3.x & 4.0.x doesn't support overlapping input stanzas, so how is this best accomplished?
The approach is discussed here:
http://www.splunk.com/wiki/Community:Monitoring_a_mixed_sourcetype_directory
First, set up an input stanza that captures all the files you are interested, possibly using whitelist and blacklist regexes.
Second, use props.conf patterns to apply sourcetypes to the file entries.
View solution in original post
