Getting Data In

source type identification in props.conf

Communicator

Given this in the props.conf on my indexer:

[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\ws_ftp.log]

sourcetype = wsftp_log

[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\*.rtf]

sourcetype = wsftp_session

[wsftp_log]

TIME_PREFIX = ^

TIME_FORMAT = %Y\.%m\.%d %H:%M

MAX_TIMESTAMP_LOOKAHEAD = 19

SHOULD_LINEMERGE = FALSE

LINE_BREAKER = ([\n\r]+)(?=\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}}

TRUNCATE = 99999

[wsftp_session]

TIME_PREFIX = ^\cf2 \[

TIME_FORMAT = %Y\.%m\.%d %H:%M:%S\.%3N

SHOULD_LINEMERGE = FALSE

MAX_TIMESTAMP_LOOKAHEAD = 30

LINE_BREAKER = ([\n\r]+)(?=^\cf2\s\[)

TRUNCATE = 999999

When I run this:

$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -index testing

OR

$SPLUNK_HOME/bin/splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\salem_file1.rtf" -index testing

It doesn't identify the sourcetype at all.

Why?

0 Karma
Highlighted

Re: source type identification in props.conf

Super Champion

Maybe it has something to do with the wildcard in the source name. Did you try specifying the sourcetype in the command?

$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -sourcetype wsftp_log -index testing

0 Karma
Highlighted

Re: source type identification in props.conf

Communicator

Of course I can identify the sourcetype via the command line. The test was to check whether the props.conf on the indexer would do the identification so I can deploy an app to gather these logs from various machines and various users (hence the * in the path).

0 Karma
Highlighted

Re: source type identification in props.conf

Splunk Employee
Splunk Employee
0 Karma