Hello Splunk Guru,
In our environment, we have many Universal forwarders, few indexers and couple of search heads.
Files to monitor from many forwarders
/application/app1/logs/*
/application/app2/logs/*
/application/app3/logs/*
Will the configuration below work? If not work, what should we do?
In Forwarder
inputs.conf
[monitor:///application/*/logs/*]
followTail = 0
props.conf
[source::/application/*/logs/*]
TRANSFORMS-change_stuff = change_sourcetype
In Indexer
transforms.conf
[change_sourcetype]
SOURCE_KEY = MetaData:Source
REGEX = /application/*/logs/*
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1
If I understand your goal (unsure), the only changes that you need to make are to remove followTail = 0
and replace it with a preliminary sourcetype setting (which you will override later) like this:
sourcetype = ChangeToAppName
Then change your transforms.conf
line to this:
REGEX = /application/([^/]+)/logs
This will change your sourcetypetype to the 2nd segment of your path, which I think is what you are trying to do (it really doesn't make sense to set your sourcetype
to the same thing as your source
).
If I understand your goal (unsure), the only changes that you need to make are to remove followTail = 0
and replace it with a preliminary sourcetype setting (which you will override later) like this:
sourcetype = ChangeToAppName
Then change your transforms.conf
line to this:
REGEX = /application/([^/]+)/logs
This will change your sourcetypetype to the 2nd segment of your path, which I think is what you are trying to do (it really doesn't make sense to set your sourcetype
to the same thing as your source
).