Solved: inputs.conf

phanichintha · ‎07-27-2020

Hello,

In one of the windows machine logs (path: C:\servicedesk\logs) sending via the universal forwarder to Splunk. So I created inputs.conf and below are the monitor paths, so now am getting logs from sourcetype=%sit% but no logs are coming from sourcetype=automation. Why logs are not coming under sourcetype=automation.

[monitor://C:\servicedesk\logs]
disabled = 0
index = main
sourcetype = %sit%

[monitor://C:\servicedesk\logs]
disabled = 0
index = main
sourcetype = automation

phanichintha · ‎07-27-2020

HI,

there is no difference in both stanzas, both are same logs, but here am i created for the first time sourcetype=%sit% am getting logs after i changes to sourcetype=Automation and disabled sourcetype=%sit% am not getting logs, so now i want logs will be index only with sourcetype=Automation.

View solution in original post

rnowitzki · ‎07-27-2020

Hi @phanichintha ,

You definifed the same path in 2 different stanzas.
What is the difference in the events/logs between sourcetypes "%sti%" and "automation"?

BR
Ralph

--
Karma and/or Solution tagging appreciated.

phanichintha · ‎07-27-2020

HI,

there is no difference in both stanzas, both are same logs, but here am i created for the first time sourcetype=%sit% am getting logs after i changes to sourcetype=Automation and disabled sourcetype=%sit% am not getting logs, so now i want logs will be index only with sourcetype=Automation.

phanichintha · ‎07-27-2020

HI, after i set for only one stanza i got my results, problem solved.

inputs.conf

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation