Is it possible to monitor a directory for files that will be input with different source types (assuming I'd use whitelist) or will I need to create and monitor a differnet directory for each sourcetype?
So 1 Directory:
[monitor:///apps/splunk/staging/prod/crd/]
sourcetype = Windows_Events
whitelist = \d+-\S{8}_Windows_Events_\d{8}.csv
[monitor:///apps/splunk/staging/prod/crd/]
sourcetype = Windows_Users
whitelist = \d+-\S{8}_Windows_Users_\d{8}.csv
OR 2 dirs:
[monitor:///apps/splunk/staging/prod/crd/winEvents]
sourcetype = Windows_Events
[monitor:///apps/splunk/staging/prod/crd/winUsers]
sourcetype = Windows_Users
Option 2 is nicer and easier to troubleshoot.
but there is an option 3 with a single folder. but 2 monitors, and the filter in the path.
`
[monitor:///apps/splunk/staging/prod/crd/.../Windows_Events/*.csv]
sourcetype = Windows_Events
[monitor:///apps/splunk/staging/prod/crd/.../Windows_Users/*.csv]
sourcetype = Windows_Users
`
Option 2 is nicer and easier to troubleshoot.
but there is an option 3 with a single folder. but 2 monitors, and the filter in the path.
`
[monitor:///apps/splunk/staging/prod/crd/.../Windows_Events/*.csv]
sourcetype = Windows_Events
[monitor:///apps/splunk/staging/prod/crd/.../Windows_Users/*.csv]
sourcetype = Windows_Users
`
Go with option no2. That way, there are no uncertainties with how this will be handled by splunk.
/K