Getting Data In

Splunk Light Free + Universal Forwarder: How to fix my configurations to monitor input paths with wildcards and assign proper sourcetypes?

moo2k
New Member

Hello guys.

I am new to Splunk. Let me introduce my problem. I have installed Splunk Light Free on the server (based on Windows Server 2012 Std, hostname: logs.xxx.com) and universal forwarder on the machine with logs (based on Windows Server 2012 Std, hostname: myapplogs.xxx.com).

Machine with logs (where UF installed) have 2 folders, e.g.

 C:\MyApp\API
 C:\MyApp\Service

Logs location looks like:

 C:\MyApp\API\Shared\log\*.log
 C:\MyApp\Service\Shared\log\2015-10-19\*.log

where 2015-10-19 - today date. New folder is created everyday.

How can I monitor these two paths with wildcards and send logs from there to:
logs.xxx.com:9990 - for API logs
logs.xxx.com: 9991- for Service logs

I wrote some configs:
Splunk inputs.conf:

[splunktcp://9990]
index = myapp
sourcetype = myapp_api

[splunktcp://9991]
index = myapp
sourcetype = myapp_service

UF inputs.conf:

[monitor://C:\\MyApp\\API\\Shared\\log\\*.log]
_TCP_ROUTING = MyApp_API
disabled = false
index = myapp
sourcetype = myapp_api

[monitor://C:\\MyApp\\Service\\Shared\\log\\...\\*.log]
_TCP_ROUTING = MyApp_Service
disabled = false
index = myapp
sourcetype = myapp_service

UF outputs.conf:
[tcpout:MyApp_API]
server = logs.xxx.com:9990
useACK = true

[tcpout:MyApp_Service]
server = logs.xxx.com:9991
useACK = true
But this configuration did not work properly. My folders are not monitored correctly. Instead, Splunk monitors folder, e.g. C:\MyApp\Api\Builds And in Splunk, sourcetypes are not assigned properly. Instead of myapp_api, I have sourcetype=2015-10-19.

Please help me to fix configs. I am a newbie in Splunk.

0 Karma

moo2k
New Member

Thanks to all. I have solved problem by myself.

0 Karma

piebob
Splunk Employee
Splunk Employee

how about explaining how you solved it so others can benefit?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...