Hello,
I'm trying to find out why only one sourcetype (the last one) is being monitored. Could someone please tell me how to configure input.conf? I'd like to capture some apache/tomcat logs and set different sourcetypes. When I let splunk automatically set sourcetypes it appends the dates to the sourcetype field.
[default]
host = NDV-MWWEB01
[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = catalina.*
sourcetype = catalina
[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = localhost.(.*)
sourcetype = localhostApache
[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = localhost_(.*)
sourcetype = localhostApacheAccess
[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = tomcat7.0.42-stderr(.*)
sourcetype = stderrApache
[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = tomcat7.0.42-stdout(.*)
sourcetype = stdoutApache
Move your whilelist filter to monitor stanza. Splunk expects only one monitor stanza per path (and you're putting 5 with same monitoring path). Change your monitoring stanza like this
[default]
host = NDV-MWWEB01
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\catalina.*]
disabled = false
index = test
sourcetype = catalina
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost.*]
disabled = false
index = test
sourcetype = localhostApache
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost_*]
disabled = false
index = test
sourcetype = localhostApacheAccess
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stderr*]
disabled = false
index = test
sourcetype = stderrApache
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stdout*]
disabled = false
index = test
sourcetype = stdoutApache
Move your whilelist filter to monitor stanza. Splunk expects only one monitor stanza per path (and you're putting 5 with same monitoring path). Change your monitoring stanza like this
[default]
host = NDV-MWWEB01
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\catalina.*]
disabled = false
index = test
sourcetype = catalina
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost.*]
disabled = false
index = test
sourcetype = localhostApache
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost_*]
disabled = false
index = test
sourcetype = localhostApacheAccess
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stderr*]
disabled = false
index = test
sourcetype = stderrApache
[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stdout*]
disabled = false
index = test
sourcetype = stdoutApache
Thank you very much, this did the trick.