I am new to Splunk. Let me introduce my problem. I have installed Splunk Light Free on the server (based on Windows Server 2012 Std, hostname: logs.xxx.com) and universal forwarder on the machine with logs (based on Windows Server 2012 Std, hostname: myapplogs.xxx.com).
Machine with logs (where UF installed) have 2 folders, e.g.
Logs location looks like:
2015-10-19 - today date. New folder is created everyday.
How can I monitor these two paths with wildcards and send logs from there to:
logs.xxx.com:9990 - for API logs
logs.xxx.com: 9991- for Service logs
I wrote some configs:
[splunktcp://9990] index = myapp sourcetype = myapp_api [splunktcp://9991] index = myapp sourcetype = myapp_service
[monitor://C:\\MyApp\\API\\Shared\\log\\*.log] _TCP_ROUTING = MyApp_API disabled = false index = myapp sourcetype = myapp_api [monitor://C:\\MyApp\\Service\\Shared\\log\\...\\*.log] _TCP_ROUTING = MyApp_Service disabled = false index = myapp sourcetype = myapp_service
server = logs.xxx.com:9990
useACK = true
server = logs.xxx.com:9991
useACK = true
But this configuration did not work properly. My folders are not monitored correctly. Instead, Splunk monitors folder, e.g.
C:\MyApp\Api\Builds And in Splunk, sourcetypes are not assigned properly. Instead of `myappapi
, I havesourcetype=2015-10-19`.
Please help me to fix configs. I am a newbie in Splunk.