Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

props.conf source file/directory

acalvo
Explorer
‎10-28-2010 04:06 PM

Following the documentation http://www.splunk.com/base/Documentation/latest/admin/Forwarddatatothird-partysystems I've set up a system to forward data to a syslog server. However, while using a host::hostname works, seems that using source::/path/file or source::/path/directory is not working. Does it needs to have a monitor defined also?

Tags (1)
0 Karma
Reply
Highlighted

Re: props.conf source file/directory

Genti
Splunk Employee
Splunk Employee
‎10-28-2010 05:23 PM

should work. Show your stanza for more details..

Reply
Highlighted

Re: props.conf source file/directory

acalvo
Explorer
‎10-29-2010 06:58 AM

props.conf:

[source::/opt/glassfishv3/glassfish/domains/domain1/logs/]
TRANSFORMS-routing = sendtosyslog

transforms.conf:

[sendtosyslog]
REGEX = .
DESTKEY = _SYSLOGROUTING
FORMAT = INM01

outputs.conf:

[syslog:INM01]
server = 10.10.40.10:10514
type = tcp

The official documentation does not use the REGEX param in the transforms file, however, it didn't work without specifying it.

I've also used the 3 dots (...) in front of the path, but still no luck.

Replacing the source for hostname:: works.

0 Karma
Reply
Highlighted

Re: props.conf source file/directory

woodcock
Esteemed Legend
‎05-26-2015 09:49 PM

It will not work if you have overridden your source (unless you use the original source value). This may be your problem.

0 Karma
Reply