I have two type of files i am inputted into splunk.
Both reside at /var/data/proxy/isolde.2015060812.log or mimi.2015060515.log
I can easily use the whitelist field with a regex to specifically point out which file i want to take. I want to to take them as separate inputs so each one can be assigned a different host value to be searched against.
However when specifying the path a second time splunk returns an error: "path is the same and another input". So I edited inputs.conf manually to specify the path/sourcetype/host/whitelist regex. doing a ./splunk btool check returned no errors so i think it will work?
Does anyone have any experience with this kind of scenario? Can you comment on using inputs.conf as a valid way to workaround the splunk error?
It should work but if it doesn't, just create a soft link like this:
ln -fs /var/data/proxy/ /var/data/proxycopy
Then use this:
[monitor:///var/data/proxycopy/]
whilelist=other regex
It should work but if it doesn't, just create a soft link like this:
ln -fs /var/data/proxy/ /var/data/proxycopy
Then use this:
[monitor:///var/data/proxycopy/]
whilelist=other regex
It did work , however editing the conf file means there is no entry in the splunk web gui, so i've opted for the softlink approach.
thanks again WC