- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PPape
Contributor
02-04-2015
06:59 AM
Hey Guys,
I'm trying to index Data via File Monitor
[monitor://D:\CDR]
disabled = false
index = cdr
sourcetype = cdr
This works just fine, but now I want to separate the files in this Directory there are
cdr[generic Name]_[Date]
and cmd[generic Name]_[Date]
so I tried
[monitor://D:\CDR]
disabled = false
index = cdr
sourcetype = cdr
whitelist = ^cdr
[monitor://D:\CDR]
disabled = false
index = cdr
sourcetype = cmr
whitelist = ^cmr
But this doesn't work.
EDIT: No Files are indexed when I use it like shown above
Is my RegEx wrong? What am I doing wrong?
Thanks for Helping!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PPape
Contributor
02-04-2015
07:35 AM
The answer was:
[monitor://D:\CDR\cdr*]
disabled = false
index = cdr
sourcetype = cdr
[monitor://D:\CDR\cmr*]
disabled = false
index = cdr
sourcetype = cmr
Thanks to s72ucor in the #splunk Channel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PPape
Contributor
02-04-2015
07:35 AM
The answer was:
[monitor://D:\CDR\cdr*]
disabled = false
index = cdr
sourcetype = cdr
[monitor://D:\CDR\cmr*]
disabled = false
index = cdr
sourcetype = cmr
Thanks to s72ucor in the #splunk Channel
