- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk multiple monitering stanza issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk multiple monitering stanza issue
Hi ,
I am adding here multiple monitoring stanza to filter out different log files and give them source type.
But I am seeing in indexer's search that source SystemErr.log with two different source type i.e.
SystemErrs and SystemErr-Small.
Please suggest me what should i do to not do filter in two diffrent stanzas.
[monitor://E:/fflogs/SystemOut.log]
sourcetype=SystemOuts
[monitor://E:/fflogs/SystemErr.log]
sourcetype=SystemErrs
[monitor://E:/fflogs/]
whitelist=.log$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, For first two stanza I want to filter out systemout and systemerr logs with specific sourcetype and for all others I have to send as it is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You really should have only one monitor stanza for a directory. The following would be more efficient and work better:
inputs.conf
[monitor://E:\\fflogs\\]
whitelist=SystemErr.log$|SystemOut.log$
props.conf
[source::E:\\fflogs\\...\\SystemErr.log]
sourcetype=SystemErrs
[source::E:\\fflogs\\...\\SystemOut.log]
sourcetype=SystemOuts
You might need to set the whitelist differently, depending on what you want.
Note that setting the sourcetype, either in inputs.conf or in props.conf will not change any data that has already been indexed. My guess is that the SystemErr-Small (or SystemErr-TooSmall) was created because when you initially tried to index the data, Splunk could not automatically identify the sourcetype because the input file was too short.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf is used in a number of places in Splunk, depending on the attributes that you are setting. Setting the sourcetype is done at input time - so this props.conf belongs on the forwarder.
You can (and probably will) have multiple copies of props.conf. Attibutes that are related to parsing go on the indexer...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your meaning is I have to put props.conf in forwarder local file with inputs.conf ? Spunk Support suggest me to add props.conf in indexer local file . I am confused.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This props.conf file belongs in the same directory as the inputs.conf file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to configure this in props.conf but some how its not working. That why I have only option to set in inputs.conf file. Please suggest how we can solve this problem i inputs.conf itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the purpose of last stanza? Are you monitoring the whole folder as well?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
