Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to edit my configurations to assign source...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to index following files:
c:\test\access.log
c:\test\access_00.0.log
c:\test\access_00.0.trc
c:\test\log\responses_01.0.trc
c:\test\log\responses_01.0.log
The sourcetypes for those files are:
c:\test\access.log --> SAP
c:\test\access_00.0.log --> SAP
c:\test\access_00.0.trc --> SAP
c:\test\log\responses_01.0.trc --> SAPResponse
c:\test\log\responses_01.0.log --> SAP
My inputs.conf file is following:
[monitor://C:\test\]
recursive = false
index = sap
disabled = false
whitelist=\.log$|\.trc$
ignoreOlderThan = 1d
[monitor://C:\test\log\]
recursive = true
index = sap
disabled = false
whitelist=\.log$|\.trc$
ignoreOlderThan = 1d
And my props.conf
[source::...\.log$]
sourcetype = SAP
[source::.../access_*.*.trc.*$]
sourcetype = SAPResponse
When files are indexed all them have the "default" sourcetype and it´s not the right ones that I have defined in props. Any idea why?
Thanks in advance,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the suggestions provided. At the end, I have found the solution:
In inputs.conf
[monitor://C:\test2]
recursive = true
index = sap
disabled = false
whitelist=(.log|.trc)$
ignoreOlderThan = 1d
In props.conf
[source::C:\test2\log\resp*trc]
sourcetype = SAPResponse
priority = 10
[source::....(log*|trc*)]
sourcetype = SAP
priority = 5
Now Splunk gets the files and assign the right sourcetype for each file here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the suggestions provided. At the end, I have found the solution:
In inputs.conf
[monitor://C:\test2]
recursive = true
index = sap
disabled = false
whitelist=(.log|.trc)$
ignoreOlderThan = 1d
In props.conf
[source::C:\test2\log\resp*trc]
sourcetype = SAPResponse
priority = 10
[source::....(log*|trc*)]
sourcetype = SAP
priority = 5
Now Splunk gets the files and assign the right sourcetype for each file here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably want to specify sourcetype in your monitor stanza, creating new stanzas as necessary. You can use a TRANSFORMS action in props.conf to accomplish this, but for your needs I don't think it should be necessary.
Look at inputs.conf for how you can use .. and ... with wildcards to accomplish what you need here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What kind of forwarder you're using? Try putting pros.conf changes on Indexers.
Also, give this a try
inputs.conf on forwarder
[monitor://C:\test\access*.log]
recursive = false
index = sap
sourcetype = SAP
disabled = false
ignoreOlderThan = 1d
[monitor://C:\test\access*.trc]
recursive = false
index = sap
sourcetype = SAP
disabled = false
ignoreOlderThan = 1d
[monitor://C:\test\log\responses*.log]
recursive = false
index = sap
sourcetype = SAP
disabled = false
ignoreOlderThan = 1d
[monitor://C:\test\log\responses*.trc]
recursive = false
index = sap
sourcetype = SAPResponse
disabled = false
ignoreOlderThan = 1d
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
