Getting Data In

Splunk Light Free + Universal Forwarder: How to fix my configurations to monitor input paths with wildcards and assign proper sourcetypes?

New Member

Hello guys.

I am new to Splunk. Let me introduce my problem. I have installed Splunk Light Free on the server (based on Windows Server 2012 Std, hostname: logs.xxx.com) and universal forwarder on the machine with logs (based on Windows Server 2012 Std, hostname: myapplogs.xxx.com).

Machine with logs (where UF installed) have 2 folders, e.g.

 C:\MyApp\API
 C:\MyApp\Service

Logs location looks like:

 C:\MyApp\API\Shared\log\*.log
 C:\MyApp\Service\Shared\log\2015-10-19\*.log

where 2015-10-19 - today date. New folder is created everyday.

How can I monitor these two paths with wildcards and send logs from there to:
logs.xxx.com:9990 - for API logs
logs.xxx.com: 9991- for Service logs

I wrote some configs:
Splunk inputs.conf:

[splunktcp://9990]
index = myapp
sourcetype = myapp_api

[splunktcp://9991]
index = myapp
sourcetype = myapp_service

UF inputs.conf:

[monitor://C:\\MyApp\\API\\Shared\\log\\*.log]
_TCP_ROUTING = MyApp_API
disabled = false
index = myapp
sourcetype = myapp_api

[monitor://C:\\MyApp\\Service\\Shared\\log\\...\\*.log]
_TCP_ROUTING = MyApp_Service
disabled = false
index = myapp
sourcetype = myapp_service

UF outputs.conf:
[tcpout:MyApp_API]
server = logs.xxx.com:9990
useACK = true

[tcpout:MyAppService]
server = logs.xxx.com:9991
useACK = true
But this configuration did not work properly. My folders are not monitored correctly. Instead, Splunk monitors folder, e.g. C:\MyApp\Api\Builds And in Splunk, sourcetypes are not assigned properly. Instead of `myapp
api, I havesourcetype=2015-10-19`.

Please help me to fix configs. I am a newbie in Splunk.

0 Karma

New Member

Thanks to all. I have solved problem by myself.

0 Karma

Splunk Employee
Splunk Employee

how about explaining how you solved it so others can benefit?

0 Karma