Getting Data In

Splunk Light Free + Universal Forwarder: How to fix my configurations to monitor input paths with wildcards and assign proper sourcetypes?

moo2k
New Member

Hello guys.

I am new to Splunk. Let me introduce my problem. I have installed Splunk Light Free on the server (based on Windows Server 2012 Std, hostname: logs.xxx.com) and universal forwarder on the machine with logs (based on Windows Server 2012 Std, hostname: myapplogs.xxx.com).

Machine with logs (where UF installed) have 2 folders, e.g.

 C:\MyApp\API
 C:\MyApp\Service

Logs location looks like:

 C:\MyApp\API\Shared\log\*.log
 C:\MyApp\Service\Shared\log\2015-10-19\*.log

where 2015-10-19 - today date. New folder is created everyday.

How can I monitor these two paths with wildcards and send logs from there to:
logs.xxx.com:9990 - for API logs
logs.xxx.com: 9991- for Service logs

I wrote some configs:
Splunk inputs.conf:

[splunktcp://9990]
index = myapp
sourcetype = myapp_api

[splunktcp://9991]
index = myapp
sourcetype = myapp_service

UF inputs.conf:

[monitor://C:\\MyApp\\API\\Shared\\log\\*.log]
_TCP_ROUTING = MyApp_API
disabled = false
index = myapp
sourcetype = myapp_api

[monitor://C:\\MyApp\\Service\\Shared\\log\\...\\*.log]
_TCP_ROUTING = MyApp_Service
disabled = false
index = myapp
sourcetype = myapp_service

UF outputs.conf:
[tcpout:MyApp_API]
server = logs.xxx.com:9990
useACK = true

[tcpout:MyApp_Service]
server = logs.xxx.com:9991
useACK = true
But this configuration did not work properly. My folders are not monitored correctly. Instead, Splunk monitors folder, e.g. C:\MyApp\Api\Builds And in Splunk, sourcetypes are not assigned properly. Instead of myapp_api, I have sourcetype=2015-10-19.

Please help me to fix configs. I am a newbie in Splunk.

0 Karma

moo2k
New Member

Thanks to all. I have solved problem by myself.

0 Karma

piebob
Splunk Employee
Splunk Employee

how about explaining how you solved it so others can benefit?

0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...