Hi,
In my inputs.conf I have a number of monitors. I would like to create a custom field called logtypevalue with values based of the monitors. For example, if the monitor is:
[monitor://D:\logs\logfiles\tomcat*.log]
I want the value of logtypevalue set to abcde.
If the monitor is:
[monitor://D:\logs\logfiles\apache*.log]
I want the value of logtypevalue set to testing.
Basically the values of logtypevalue can't be extracted from the monitor so I am not sure how I can do this.
Any help will be greatly appreciated.
Thanks.
Jackie
I don't know you can do that in inputs.conf, but it's possible in props.conf. In the appropriate stanza for each input's sourcetype add
EVAL-logtypevalue = "abcde"
or
EVAL-logtypevalue = "testing"
You can hard-code each monitor
inside inputs.conf
with a unique sourcetype such as STunique1
, STunique2
, etc.
Then inside props.conf
you do like @richgalloway said and use EVAL-logtypevalue="testing"
or whatever, for each unique sourcetype
but you also rename the sourcetype here with rename = "STcommon"
so that in the end, each one goes back to sharing the same sourcetype but with unique values for logtypevalue
!
I don't know you can do that in inputs.conf, but it's possible in props.conf. In the appropriate stanza for each input's sourcetype add
EVAL-logtypevalue = "abcde"
or
EVAL-logtypevalue = "testing"
Thanks a lot. I managed to do it based on your suggestion.
In props.conf, I have this setting:
[source::D:\abc\testing*.log]
EVAL-log_type = "testing-logs"
[source::D:\def\reporting*.log]
EVAL-log_type = "reporting-logs"
Now my question is that is it possible to specify the index in the above settings as well?
It may happen that logs with the same paths coming from different servers for different indexes will match the paths above. I only want those that match the paths above and for a particular index to have log_type configured.
Is this possible?
Thanks.
See my alternative answer. It will allow you to take into effect the index
value by doing this based on sourcetype
rather than by source
(eliminating your problem entirely).
Thanks for the reply, but the problem we have is that we use sourcetype for something else (linebreak). Therefore in our inputs.conf, there are multiple monitors with the same sourcetype which can't be changed. This means the only thing we can use to distinguish between different sources (i.e. monitors) is the source itself.
Now I have updated props.conf with the settings in my reply above, and it works fine. There should not be another monitor with the exact same path but for a different index cos that would not be right, but I am just thinking out loud here whether it is possible to include the index in the configs above. Something like if the source is D:\def\reporting*.log and it is for the index "abc" then do the EVAL-log_type part.
Thanks.
Not possible.
ok, thanks for getting back to me.
Thanks a lot. I managed to do it based on your suggestion.
In props.conf, I have this setting:
[source::D:\\abc\\testing*.log]
EVAL-log_type = "testing-logs"
[source::D:\\def\\reporting*.log]
EVAL-log_type = "reporting-logs"
Now my question is that is it possible to specify the index in the above settings as well?
It may happen that logs with the same paths coming from different servers for different indexes will match the paths above. I only want those that match the paths above and for a particular index to have log_type configured.
Is this possible?
Thanks.
You can include index=foo
in your inputs.conf file, but not props.conf.