Solved: Re: Inputs.conf and Multiple sourcetypes

andrewkenth · ‎11-07-2013

Is it possible to monitor a directory for files that will be input with different source types (assuming I'd use whitelist) or will I need to create and monitor a differnet directory for each sourcetype?

So 1 Directory:

[monitor:///apps/splunk/staging/prod/crd/]
sourcetype = Windows_Events
whitelist = \d+-\S{8}_Windows_Events_\d{8}.csv

[monitor:///apps/splunk/staging/prod/crd/]
sourcetype = Windows_Users
whitelist = \d+-\S{8}_Windows_Users_\d{8}.csv

OR 2 dirs:

[monitor:///apps/splunk/staging/prod/crd/winEvents]
sourcetype = Windows_Events

[monitor:///apps/splunk/staging/prod/crd/winUsers]
sourcetype = Windows_Users

yannK · ‎11-10-2013

Option 2 is nicer and easier to troubleshoot.

but there is an option 3 with a single folder. but 2 monitors, and the filter in the path.

`
[monitor:///apps/splunk/staging/prod/crd/.../Windows_Events/*.csv]
sourcetype = Windows_Events

[monitor:///apps/splunk/staging/prod/crd/.../Windows_Users/*.csv]
sourcetype = Windows_Users
`

View solution in original post

yannK · ‎11-10-2013

Option 2 is nicer and easier to troubleshoot.

but there is an option 3 with a single folder. but 2 monitors, and the filter in the path.

`
[monitor:///apps/splunk/staging/prod/crd/.../Windows_Events/*.csv]
sourcetype = Windows_Events

[monitor:///apps/splunk/staging/prod/crd/.../Windows_Users/*.csv]
sourcetype = Windows_Users
`

kristian_kolb · ‎11-07-2013

Go with option no2. That way, there are no uncertainties with how this will be handled by splunk.

/K

Inputs.conf and Multiple sourcetypes

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!