Getting Data In

monitor files in /var/log with different source types

asdfasdfasdflkj
New Member

I've seen variations of the question, but there must surely be a way to do this.

All our logs files are in /var/log/. We don't want all the logs to be classified as the same source type, how can we split out files? Must we select them individually? Why doesnt this work?

[monitor:///var/log/app1/client.log]
    sourcetype = app1
[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    _whitelist = apache2/(access|error).log$
[monitor:///var/log/app2.log]
    sourcetype = app2
0 Karma

dmlee
Communicator

I think may be you mistyping :

[monitor:///var/log/apache2]
    sourcetype = apache
    index = main
    whitelist = (access|error)\.log$  # there is only one backslash before dot 

and you can try another way :
in inputs.conf

[monitor:///var/log]
    whitelist = /client\.log|/apache2/access\.log$|/apache2/error\.log$|/app2\.log # there is only one backslash before dot
    index = main

in props.conf

[source::/var/log/app1/client.log]
   sourcetype = app1
[source::/var/log/apache2/*.log]
   sourcetype = apache
[source::/var/log/app2.log]
   sourcetype = app2
0 Karma

pkeller
Contributor

Good answer. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...