props.conf source file/directory

acalvo · ‎10-28-2010

Following the documentation http://www.splunk.com/base/Documentation/latest/admin/Forwarddatatothird-partysystems I've set up a system to forward data to a syslog server. However, while using a host::hostname works, seems that using source::/path/file or source::/path/directory is not working. Does it needs to have a monitor defined also?

woodcock · ‎05-26-2015

It will not work if you have overridden your source (unless you use the original source value). This may be your problem.

acalvo · ‎10-29-2010

props.conf:

[source::/opt/glassfishv3/glassfish/domains/domain1/logs/]
TRANSFORMS-routing = send_to_syslog

transforms.conf:

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = INM01

outputs.conf:

[syslog:INM01]
server = 10.10.40.10:10514
type = tcp

The official documentation does not use the REGEX param in the transforms file, however, it didn't work without specifying it.

I've also used the 3 dots (...) in front of the path, but still no luck.

Replacing the source for hostname:: works.

Genti · ‎10-28-2010

should work. Show your stanza for more details..

Join the Conversation