Solved: What is the best way to edit inputs.conf to pull l...

Splunkster45 · ‎04-22-2015

I have two sets of logs that I want to be able to ingest into splunk

/opt/Model15/log/*
/opt/Model17/log/*

What's the best way to edit the props.conf file to pull both of these logs (under one sourcetype)?

I'm thinking that the whitelist option is the best way to do this:

[monitor:///opt/Model*/log/*]
index=the_index
sourcetype=model
whitelist=/opt/Model[0-9][0-9]/log/*

Does this look right to y'all or is there a better way to do this?

Thanks!

ngatchasandra · ‎04-22-2015

Hi Splunkster45,

Try with :

[monitor:///opt/Model*/log/*]
 index=the_index
 sourcetype=model
 whitelist= \/opt\/Model\d+\/log\/\*\]

ngatchasandra · ‎04-22-2015

Hi Splunkster45,

Try with :

[monitor:///opt/Model*/log/*]
 index=the_index
 sourcetype=model
 whitelist= \/opt\/Model\d+\/log\/\*\]

What is the best way to edit inputs.conf to pull logs from multiple paths into one sourcetype?