Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

source type identification in props.conf

tyronetv
Communicator
‎05-05-2014 09:02 AM

Given this in the props.conf on my indexer:

[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\ws_ftp.log]

sourcetype = wsftp_log

[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\*.rtf]

sourcetype = wsftp_session

[wsftp_log]

TIME_PREFIX = ^

TIME_FORMAT = %Y\.%m\.%d %H:%M

MAX_TIMESTAMP_LOOKAHEAD = 19

SHOULD_LINEMERGE = FALSE

LINE_BREAKER = ([\n\r]+)(?=\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}}

TRUNCATE = 99999

[wsftp_session]

TIME_PREFIX = ^\cf2 \[

TIME_FORMAT = %Y\.%m\.%d %H:%M:%S\.%3N

SHOULD_LINEMERGE = FALSE

MAX_TIMESTAMP_LOOKAHEAD = 30

LINE_BREAKER = ([\n\r]+)(?=^\cf2\s\[)

TRUNCATE = 999999

When I run this:

$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -index testing

OR

$SPLUNK_HOME/bin/splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\salem_file1.rtf" -index testing

It doesn't identify the sourcetype at all.

Why?

0 Karma
Reply

weeb
Splunk Employee
Splunk Employee
‎08-11-2015 10:47 AM

As per the documentation, wildcard usage is not supported.

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI

0 Karma
Reply

lukejadamec
Super Champion
‎05-05-2014 10:22 AM

Maybe it has something to do with the wildcard in the source name. Did you try specifying the sourcetype in the command?

$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -sourcetype wsftp_log -index testing

0 Karma
Reply

tyronetv
Communicator
‎05-06-2014 08:14 AM

Of course I can identify the sourcetype via the command line. The test was to check whether the props.conf on the indexer would do the identification so I can deploy an app to gather these logs from various machines and various users (hence the * in the path).

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...