Hi,
I've got the following directory structure:
c:\Logs\<system>
At the moment, inputs.conf for application1 (search) is set to:
[monitor://c:\Logs\]
disabled = false
#host_segment 2 = system name
host_segment = 2
sourcetype = sourcetype1
The above config works.
However, I now have a requirement for another sourcetype. The system generates the logs into the same directory:
C:\logs\<system>\foo_sourcetype2.log
The inputs.conf for application2 named application2 will look like:
[monitor://c:\Logs\<system>\foo_sourcetype2.log]
disabled = false
sourcetype = sourcetype2
Unfortunately, this doesn't seem to be working.
I've also tried:
*blacklisting input.conf for application1 with: _sourcetype2.log - doesn't work
Thanks in advance.
Try this in your inputs.conf
[monitor://c:\Logs\]
disabled = false
#host_segment 2 = system name
host_segment = 2
sourcetype = sourcetype1
blacklist = foo_sourcetype2\.log$
[monitor://c:\Logs\<system>\foo_sourcetype2.log]
disabled = false
sourcetype = sourcetype2
Try this in your inputs.conf
[monitor://c:\Logs\]
disabled = false
#host_segment 2 = system name
host_segment = 2
sourcetype = sourcetype1
blacklist = foo_sourcetype2\.log$
[monitor://c:\Logs\<system>\foo_sourcetype2.log]
disabled = false
sourcetype = sourcetype2
Cool. Thanks.
It seems that there was a (very long) delay after the restart, it was fine after it settled down.
The only addition as similar to @somesoni2:
blacklist = _sourcetype2.log
BTW: Can't add '$' on the regex as there are rotational logs in that directory
Make sure that the blacklist prevents the special files from being processed by the existing entry and then monitor the special files through a different path (be sure to have a good whitelist and blacklist here, too) by creating a soft link like this explains:
http://answers.splunk.com/answers/268433/data-input-path-name-is-the-same.html