I have a directory /logdir and it contains various types of files, such as apache logs, syslog files, local applications logs and so on.
Splunk 3.x & 4.0.x doesn't support overlapping input stanzas, so how is this best accomplished?
The approach is discussed here:
First, set up an input stanza that captures all the files you are interested, possibly using whitelist and blacklist regexes.
Second, use props.conf patterns to apply sourcetypes to the file entries.
View solution in original post