×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sha_knowis
New Member
Member since: ‎10-02-2018
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-02-2018
Activity Feed
View All

Re: What is the best practice to deal with equal s...

by Splunk Employee in Getting Data In
‎10-10-2018 06:41 AM
1 Karma
‎10-10-2018 06:41 AM
1 Karma
I believe the post you referenced still stands as the strongest approach. Use inputs.conf to collect the most generic pattern: monitor:///pathToLogs/*/fixedPath/logForSourcetype*.log (Notice the number is now wildcarded in the filename). And then use a sourcetype and host override to assign those fields dynamically depending on the source matches. - Override source types on a per-event basis - Set host values based on event data You may choose to assign the host and sourcetype to silly values as a way to ensure the health of this config. For example: [monitor:///pathToLogs/*/fixedPath/logForSourcetype*.log] host = changeMe sourcetype = changeMe And then you can have an alert for any events that appear with host=changeMe OR sourcetype=changeMe so you become aware when your configuration is failing. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM