Getting Data In

How do I edit my current inputs.conf and props.conf for proper monitoring, setting a sourcetype, and line breaking?

New Member

Sorry newbie questions.
I have been looking at trying my hand at customizing the setup, instead of using the GUI.
These are from things I have tried and read in the docs.

The idea would be to set up the input folders in the "inputs.conf" file with "monitor" to grabd the logs, then use the "props.conf" file with "rule" to set the sourcetype for the logs.
The next thing I going to do is set up log parsing to linebreak before the log events.

A.
I created a inputs.conf and props.conf file
I added to this folder and it did not read the inputs.conf file:

D:\Splunk\etc\apps\ZINPUTS\defaults\inputs.conf

I moved it to this folder and then it read it:

D:\Splunk\etc\system\local\inputs.conf

I am wanting to create a config like and app that I could copy from one server to another, when should I put my custom conf files?
Is there a CLI to output which conf files splunk reads?

B.
Monitoring:
I created this monitor for each folder, I added the recursive=true just to remind me what the default setting it.
I have 40 folders that I will monitor.
This does not seem to work.

[monitor://D:\SplunkData\7641\logform1\...\*.log]
recursive = true

I would like to read logs from the following folders:

D:\SplunkData\7641\logform1\*.log
D:\SplunkData\7641\logform1\day1\*.log
D:\SplunkData\7641\logform1\day2\*.log
D:\SplunkData\7641\logform1\day1\hour1\*.log
D:\SplunkData\7641\logform1\day1\hour2\*.log

C.
props.conf
I am thinking I would use props.conf and rules to set the sourcetype of the logs so:
The name of the application appears on line 5 of each log file, can I do this to find and identify the log as the sourcetype:

[rule::logform1]
sourcetype=logform1
REGEX=\t\tlogform1.exe

Currently this throws and error when I start splunk:

        Invalid key in stanza [rule::logform1] in D:\Splunk\etc\system\local\props.conf, line 3: REGEX (value: \t\tlogform1.exe).

D.
Not sure what I will do here, I would like to set the break between records and there are four record types in one log file, I would like to break when these appear.

2016-01-07 15:07:30.879 DBUG
15:10:44.072_F_F_8837002
15:10:44.072 Int
Via: SIP/2.0/ UDP

Note: There are several more but these some of them.
I was going to use "BREAK_ONLY_BEFORE" for each of these log events.
Any ideas here?

Thanks for the assistance.

0 Karma

Splunk Employee
Splunk Employee

C. not sure if it will not work, you cannot assign the sourcetype based on the content.
It's easier to make the sourcetype static, in the inputs.conf.

0 Karma

New Member
0 Karma

Splunk Employee
Splunk Employee

You are right, there is a way to detect the sourcetype later.
based on the content of the events, statistically.
but the correct parameter is not REGEX, try MORE_THAN_10

[rule::logform1]
sourcetype=logform1
MORE_THAN_10=\t\tlogform1.exe
0 Karma