Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I monitor the same path in one app but with different sourcetypes?

przemysaw
Explorer
‎02-27-2019 01:08 AM

Hi,

This is my very first question here. I was digging through this site, but did not find an answer to my issue. And the issue is, how do I monitor the same path in one app but with different sourcetypes? Currently, I have something like this:

[monitor:///logs/.../*.log]
index = abcd
sourcetype = sourcetype_a
blacklist = \/logs\/xyz

the above works, but with some date parsing issues.

And, because there are lots of files in this location, I don't want to list them all. I have figured out that some logs have a different time format. Therefore, I want to split it into a new monitor with the correct timestamp. So I did something like this:

[monitor:///logs/.../*.log]
index = abcd
sourcetype = sourcetype_a
blacklist = \/logs\/(xyz|dir1\/dir2\/logfile1\.log$|dir1\/dir2\/logfile2\.log$|dir1\/dir2\/logfile3\.log$|dir1\/di2\/logfile4\.log$|dir1\/dir2\/logfile5\.log$|dir1\/dir2\/logfile6\.log$|dir1\/dir3\/logfile7\.log$)

[monitor:///logs/.../*.log]
index = abcd
sourcetype = sourcetype_b
whitelist = \/logs\/(dir1\/dir2\/logfile1\.log$|dir1\/dir2\/logfile2\.log$|dir1\/dir2\/logfile3\.log$|dir1\/di2\/logfile4\.log$|dir1\/dir2\/logfile5\.log$|dir1\/dir2\/logfile6\.log$|dir1\/dir3\/logfile7\.log$)

And this solution does not work. No logs are available since the configuration has been pushed.

Can you please advise where am I wrong?

Thanks in advance,

Przemek

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-27-2019 06:46 AM

You cannot define two monitor stanza pointing to the same location with 2 diff sourcetypes, even when you are whitelisting/blacklisting.

You need to create different patterns for monitor stanza, i.e. monitor:///logs/.../*.log needs to be unique for each sourcetype.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Monitorfilesanddirectorieswithinputs.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-27-2019 06:46 AM

You cannot define two monitor stanza pointing to the same location with 2 diff sourcetypes, even when you are whitelisting/blacklisting.

You need to create different patterns for monitor stanza, i.e. monitor:///logs/.../*.log needs to be unique for each sourcetype.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Monitorfilesanddirectorieswithinputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...