monitoring a directory and setting sourcetypes

andywt123 · ‎07-03-2014

I have a universal forwarder monitoring /var/log directory on our syslog server. In the directory I have files of aaa,bbb,ccc, plus other files. What is the best way to monitor these files and set different source types. I want to set a different sourcetype for those three files and then everything else would be sourcetype=syslog. Would the following work?

[monitor:///var/logs]
blacklist = aaa|bbb
sourcetype=syslognew

[monitor:///var/logs]
blacklist = aaa|ccc
sourcetype=syslogvmware

[monitor:///var/logs]
blacklist = ccc|bbb
sourcetype=syslogaaa

[monitor:///var/logs]
blacklist = aa|bbb|ccc
sourcetype=syslog

andywt123 · ‎07-03-2014

Thanks for the answer, How would you configure the source statement to get everything starting with aaa? would [source::aaa*] work?

andywt123 · ‎07-03-2014

Thanks for the answer, How would you configure the source statement to get everything starting with aaa? would [source::aaa*] work?

lguinn2 · ‎07-03-2014

I would NOT recommend this method. Each monitor stanza should be unique. Do this instead

inputs.conf

[monitor:///var/log]

props.conf (in the same directory)

[source::aaa]
sourcetpe=syslogaaa

[source::bbb]
sourcetype= syslogvmware

etc.

Note that you are using Splunk's automatic sourcetyping in inputs.conf. Then you can use props.conf to set sourcetypes for individual inputs - if needed.

andywt123 · ‎07-03-2014

Thanks for the answer, How would you configure the source statement to get everything starting with aaa? would [source::aaa*] work?

monitoring a directory and setting sourcetypes

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!