Solved: How to configure inputs.conf to separate files mon...

PPape · ‎02-04-2015

Hey Guys,

I'm trying to index Data via File Monitor

[monitor://D:\CDR]
disabled = false
index = cdr
sourcetype = cdr

This works just fine, but now I want to separate the files in this Directory there are

cdr[generic Name]_[Date] 
and cmd[generic Name]_[Date]

so I tried

[monitor://D:\CDR]
disabled = false
index = cdr
sourcetype = cdr
whitelist = ^cdr

[monitor://D:\CDR]
disabled = false
index = cdr
sourcetype = cmr
whitelist = ^cmr

But this doesn't work.
EDIT: No Files are indexed when I use it like shown above

Is my RegEx wrong? What am I doing wrong?

Thanks for Helping!

PPape · ‎02-04-2015

The answer was:

 [monitor://D:\CDR\cdr*]
 disabled = false
 index = cdr
 sourcetype = cdr


 [monitor://D:\CDR\cmr*]
 disabled = false
 index = cdr
 sourcetype = cmr

Thanks to s72ucor in the #splunk Channel

View solution in original post

PPape · ‎02-04-2015

The answer was:

 [monitor://D:\CDR\cdr*]
 disabled = false
 index = cdr
 sourcetype = cdr


 [monitor://D:\CDR\cmr*]
 disabled = false
 index = cdr
 sourcetype = cmr

Thanks to s72ucor in the #splunk Channel

How to configure inputs.conf to separate files monitored in a directory?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...