How to configure input.conf file to monitor multip...

srujana96 · ‎05-09-2022

folder1 we have multiple file f1,f2,f3,f4
need to configure all files for different sourcetype
below is the query which we have created but did not worked

[batch://<path_of the file>]
index=i1
sourcetype=s1
whitelist = f1
move_policy=sinkhole

[batch://<<path of the file>>]
index=i1
sourcetype=s2
whitelist = f2
move_policy=sinkhole

gcusello · ‎05-09-2022

Hi @srujana96,

you have two choices:

using your solution: it's the easiest way,
use only one soucetype and override on Indexers.

Anyway I hint your solution!

Why do you used batch? to ingest logs from a file, you should use monitor insterad batch in the stanza header.

Only one difference, instead to use whitelist option, put the filename in the stanza title, e.g.

[monitor://<path_of the file>/f1]
...

Ciao.

Giuseppe

How to configure input.conf file to monitor multiple files from the same folder for multiple sourcetype.

inputs.conf

Linux

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation