Solved: In inputs.conf for the same directory, why does ad...

puneethgowda · ‎02-27-2017

In inputs.conf, one stanza is receiving data for sourcetype=CWTBETAAppServerDbconnectInfo but when i add a 2nd stanza, it is not getting data for sourcetype=CWTBETAChannelInfo.

when i add 2nd stanza, the 1st stanza is not working

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
ignoreOlderThan= 1d
index=CWT
sourcetype=CWTBETAAppServerDbconnectInfo
whitelist = AppServerDbconnectInfo(\d{8})-(\d{2}).txt$

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
ignoreOlderThan= 1d
index=CWT
sourcetype=CWTBETAChannelInfo
whitelist = ChannelInfo(\d{8})-(\d{2}).txt$

Regards,

Puneeth

puneethgowda · ‎04-13-2017

nothing worked as expected so we are moving all the logs to one index and one source type and searching based on source="filename" this is working great

View solution in original post

puneethgowda · ‎04-13-2017

nothing worked as expected so we are moving all the logs to one index and one source type and searching based on source="filename" this is working great

richgalloway · ‎02-27-2017

If you have two stanzas with the exact same name, the second replaces the first. To be more precise, the two stanzas are merged into one. Merging is by attribute name only - the value of the last attribute wins.

You can use btool to see how stanzas will be applied by Splunk. Run splunk btool inputs list <sourcetype>.

---
If this reply helps you, Karma would be appreciated.

splunkoptimus · ‎09-01-2022

I had a similar problem, there were two _TCP_ROUTING attributes under one input stanza, the second attribute was overriding the first one.

puneethgowda · ‎03-03-2017

01-27-2017 13:41:50.100 WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 5: Cannot parse into key-value pair: D:HotelHubLog4NetLogs
01-28-2017 11:10:24.728 WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 5: Cannot parse into key-value pair: D:HotelHubLog4NetLogs

rjthibod · ‎03-03-2017

It might be worthwhile to try adding the file monitor via the command line in order to see how Splunk formats the stanza and then compare to your configuration file.

<SPLUNK_ROOT>\bin\splunk add monitor D:\HotelHub\Log4NetLogs

puneethgowda · ‎04-13-2017

nothing worked as expected so we are moving all the logs to one index and one source type and searching based on source="filename" this is working great

puneethgowda · ‎03-03-2017

01-27-2017 13:41:50.100 WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 5: Cannot parse into key-value pair: D:HotelHubLog4NetLogs
01-28-2017 11:10:24.728 WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 5: Cannot parse into key-value pair: D:HotelHubLog4NetLogs

This is what b tool is saying

In inputs.conf for the same directory, why does adding a second stanza for a different sourcetype not return data from the first stanza?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation