I'm trying to set up the Splunk for A10 Networks app.
It expects syslog data on UDP port 514.
My data is collected by NXLog, spit out into a file, and then consumed by Splunk.
As such, I'm trying to edit a props.conf stanza in the app's directory from it's default, [source::udp:514] to match my file path.
Example path:
D:\syslog\a10networks&adc_a10networks\[device name]\[file name].syslog.
How would I construct my source stanza?
I've tried many variations along the lines of, [source::D:\\...\\a10networks&adc_a10networks\\....syslog] (I have tried escaping the ampersand in my path). I'm running Splunk on Windows if it matters.
I think that this is what you need in props.conf if there is only one layer of directories represented by [device name]
[source::D:\syslog\a10networks&adc_a10networks\*\*.syslog]
This will work if the directory structure is more complicated
[source::D:\syslog\a10networks&adc_a10networks\...\*.syslog]
I tried your example, with and without escaped backslashes, and still couldn't get it to work. I'm wondering if it isn't related to the '&' in the path. In the end, I assigned a source type (a10) via Splunk file & folder monitoring, and replaced my [source::...] stanza with [a10]. Now everything is working.
How about the &
in the path name, does this work? I can remember a bug which did not like $
in path names.
Hi matthewjohnson,
you can use something like this in your inputs.conf
:
[monitor://D:\syslog\...\*.syslog]
which will recurses through the directories in side of syslog
.
Hope this helps ...
cheers, MuS
Thanks for the input. @lguinn is correct, I'm editing an app and am working with props.conf
Yes, this is good for inputs.conf, but I think he may be editing an app, in which case he probably needs to edit props.conf as well...
That's a little different.
PS. I corrected the typo in your monitor stanza (missing ]
)
HeHe, twice good spotting @lguinn