Hello Splunk Guru,
In our environment, we have many Universal forwarders, few indexers and couple of search heads.
Files to monitor from many forwarders
/application/app1/logs/*
/application/app2/logs/*
/application/app3/logs/*
Will the configuration below work? If not work, what should we do?
In Forwarder
inputs.conf
[monitor:///application/*/logs/*]
followTail = 0
props.conf
[source::/application/*/logs/*]
TRANSFORMS-change_stuff = change_sourcetype
In Indexer
transforms.conf
[change_sourcetype]
SOURCE_KEY = MetaData:Source
REGEX = /application/*/logs/*
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1
... View more