Splunk Enterprise Security

inputs.conf

phanichintha
Path Finder

Hello,

In one of the windows machine logs (path: C:\servicedesk\logs) sending via the universal forwarder to Splunk. So I created inputs.conf and below are the monitor paths, so now am getting logs from sourcetype=%sit% but no logs are coming from sourcetype=automation. Why logs are not coming under sourcetype=automation.

[monitor://C:\servicedesk\logs]
disabled = 0
index = main
sourcetype = %sit%

[monitor://C:\servicedesk\logs]
disabled = 0
index = main
sourcetype = automation

Labels (1)
Tags (1)
0 Karma
1 Solution

phanichintha
Path Finder

HI,

 

there is no difference in both stanzas, both are same logs, but here am i created for the first time sourcetype=%sit% am getting logs after i changes to sourcetype=Automation and disabled sourcetype=%sit% am not getting logs, so now i want logs will be index only with sourcetype=Automation

View solution in original post

0 Karma

rnowitzki
Builder

Hi  @phanichintha ,

You definifed the same path in 2 different stanzas.
What is the difference in the events/logs between sourcetypes "%sti%" and "automation"?

BR
Ralph


--
Karma and/or Solution tagging appreciated.
0 Karma

phanichintha
Path Finder

HI,

 

there is no difference in both stanzas, both are same logs, but here am i created for the first time sourcetype=%sit% am getting logs after i changes to sourcetype=Automation and disabled sourcetype=%sit% am not getting logs, so now i want logs will be index only with sourcetype=Automation

View solution in original post

0 Karma

phanichintha
Path Finder

HI, after i set for only one stanza i got my results, problem solved.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!