Solved: Multiple error_log files

rwssoccer1 · ‎11-23-2010

Maybe you can help me out with something. I have multiple files of the same type, error_log files, that are named different. An example would be /var/log/httpd/error_log, /var/log/httpd/error_log-1..etc.....the data input is set to be "/var/log/httpd/error_log*" what is the best way do this instead of having separate sources for these logs to have it under one source called access_log?

simuvid · ‎11-23-2010

You can simply override the source setting either in the UI, while defining the new DataIput, or in the inputs.conf file, with something like:

[monitor:/var/log/httpd/error_log*]
disabled = false
followTail = 1
host = apache-1.splunk.com
sourcetype = access_combined
source = access_log

Hope that helps?

Cheers,

simuvid

View solution in original post

simuvid · ‎11-23-2010

You can simply override the source setting either in the UI, while defining the new DataIput, or in the inputs.conf file, with something like:

[monitor:/var/log/httpd/error_log*]
disabled = false
followTail = 1
host = apache-1.splunk.com
sourcetype = access_combined
source = access_log

Hope that helps?

Cheers,

simuvid

rwssoccer1 · ‎11-23-2010

Awesome! works like a charm.. Thank you!

Multiple error_log files

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation