I have a universal forwarder monitoring /var/log directory on our syslog server. In the directory I have files of aaa,bbb,ccc, plus other files. What is the best way to monitor these files and set different source types. I want to set a different sourcetype for those three files and then everything else would be sourcetype=syslog. Would the following work?
[monitor:///var/logs]
blacklist = aaa|bbb
sourcetype=syslognew
[monitor:///var/logs]
blacklist = aaa|ccc
sourcetype=syslogvmware
[monitor:///var/logs]
blacklist = ccc|bbb
sourcetype=syslogaaa
[monitor:///var/logs]
blacklist = aa|bbb|ccc
sourcetype=syslog
Thanks for the answer, How would you configure the source statement to get everything starting with aaa? would [source::aaa*] work?
Thanks for the answer, How would you configure the source statement to get everything starting with aaa? would [source::aaa*] work?
I would NOT recommend this method. Each monitor stanza should be unique. Do this instead
inputs.conf
[monitor:///var/log]
props.conf (in the same directory)
[source::aaa]
sourcetpe=syslogaaa
[source::bbb]
sourcetype= syslogvmware
etc.
Note that you are using Splunk's automatic sourcetyping in inputs.conf
. Then you can use props.conf
to set sourcetypes for individual inputs - if needed.
Thanks for the answer, How would you configure the source statement to get everything starting with aaa? would [source::aaa*] work?