Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to edit inputs.conf to pull logs from multiple paths into one sourcetype?

Splunkster45
Communicator
‎04-22-2015 10:18 AM

I have two sets of logs that I want to be able to ingest into splunk

/opt/Model15/log/*
/opt/Model17/log/*

What's the best way to edit the props.conf file to pull both of these logs (under one sourcetype)?

I'm thinking that the whitelist option is the best way to do this:

[monitor:///opt/Model*/log/*]
index=the_index
sourcetype=model
whitelist=/opt/Model[0-9][0-9]/log/*

Does this look right to y'all or is there a better way to do this?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-22-2015 10:48 AM

Hi Splunkster45,

Try with :

[monitor:///opt/Model*/log/*]
 index=the_index
 sourcetype=model
 whitelist= \/opt\/Model\d+\/log\/\*\]

View solution in original post

Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-22-2015 10:48 AM

Hi Splunkster45,

Try with :

[monitor:///opt/Model*/log/*]
 index=the_index
 sourcetype=model
 whitelist= \/opt\/Model\d+\/log\/\*\]
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...