Given this in the props.conf on my indexer:
[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\ws_ftp.log]
sourcetype = wsftp_log
[source://c:\Documents and Settings\*\AppData\Roaming\Ipswitch\WS_FTP\Logs\*.rtf]
sourcetype = wsftp_session
[wsftp_log]
TIME_PREFIX = ^
TIME_FORMAT = %Y\.%m\.%d %H:%M
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ([\n\r]+)(?=\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}}
TRUNCATE = 99999
[wsftp_session]
TIME_PREFIX = ^\cf2 \[
TIME_FORMAT = %Y\.%m\.%d %H:%M:%S\.%3N
SHOULD_LINEMERGE = FALSE
MAX_TIMESTAMP_LOOKAHEAD = 30
LINE_BREAKER = ([\n\r]+)(?=^\cf2\s\[)
TRUNCATE = 999999
When I run this:
$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -index testing
OR
$SPLUNK_HOME/bin/splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\salem_file1.rtf" -index testing
It doesn't identify the sourcetype at all.
Why?
As per the documentation, wildcard usage is not supported.
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI
Maybe it has something to do with the wildcard in the source name. Did you try specifying the sourcetype in the command?
$SPLUNK_HOME\bin\splunk add oneshot "C:\documents and settings\(my user id)\Appdata\roaming\ipswitch\ws_ftp\logs\ws_ftp.log" -sourcetype wsftp_log -index testing
Of course I can identify the sourcetype via the command line. The test was to check whether the props.conf on the indexer would do the identification so I can deploy an app to gather these logs from various machines and various users (hence the * in the path).