Hi, All. I have an overlapping path issue in Windows that I might need some assist on.
I have the contents of two directories which need monitoring (all files have the .log extension):
Looks like Splunk has issues with overlapping monitor inputs, so I can't monitor the directories with separate input stanzas. The files in the 'report' directory have (for whatever reason) ISO-8859-1 encoding. Splunk requires a separate props.conf directive so the log files are read correctly.
I'm unable to set the input to the parent directory (like "C:\Program Files\MyApp\Client") since the character set change in the report/ directory. Also, there are other files which I don't want to read from the parent directory.
Here's an example (not-really-working) configuration I'm using at the moment.
Have any thoughts on how I will be able to read the contents of both directories as well as read the report directory with the appropriate character set intact?
[monitor://C:\Program Files\MyApp\Client\ConnLog] sourcetype = conn_log followTail = 1 crcSalt = <source> [monitor://C:\Program Files\MyApp\Client\report] sourcetype = report_log followTail = 1 crcSalt = <source>
[source::C:\Program Files\MyApp\Client\report] CHARSET = ISO-8859-1
This should work, you can maybe try setting the character set by using sourcetype instead of source:
[report_log] CHARSET = ISO-8859-1
Make sure that you added the props.conf file on the forwarder, not the indexer.