- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure different sourcetypes for logs in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've got the following directory structure:
c:\Logs\<system>
At the moment, inputs.conf for application1 (search) is set to:
[monitor://c:\Logs\]
disabled = false
#host_segment 2 = system name
host_segment = 2
sourcetype = sourcetype1
The above config works.
However, I now have a requirement for another sourcetype. The system generates the logs into the same directory:
C:\logs\<system>\foo_sourcetype2.log
The inputs.conf for application2 named application2 will look like:
[monitor://c:\Logs\<system>\foo_sourcetype2.log]
disabled = false
sourcetype = sourcetype2
Unfortunately, this doesn't seem to be working.
I've also tried:
*blacklisting input.conf for application1 with: _sourcetype2.log - doesn't work
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this in your inputs.conf
[monitor://c:\Logs\]
disabled = false
#host_segment 2 = system name
host_segment = 2
sourcetype = sourcetype1
blacklist = foo_sourcetype2\.log$
[monitor://c:\Logs\<system>\foo_sourcetype2.log]
disabled = false
sourcetype = sourcetype2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this in your inputs.conf
[monitor://c:\Logs\]
disabled = false
#host_segment 2 = system name
host_segment = 2
sourcetype = sourcetype1
blacklist = foo_sourcetype2\.log$
[monitor://c:\Logs\<system>\foo_sourcetype2.log]
disabled = false
sourcetype = sourcetype2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that there was a (very long) delay after the restart, it was fine after it settled down.
The only addition as similar to @somesoni2:
blacklist = _sourcetype2.log
BTW: Can't add '$' on the regex as there are rotational logs in that directory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure that the blacklist prevents the special files from being processed by the existing entry and then monitor the special files through a different path (be sure to have a good whitelist and blacklist here, too) by creating a soft link like this explains:
http://answers.splunk.com/answers/268433/data-input-path-name-is-the-same.html
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
