//inHouseLogs/
' folder on our servers. Right now I'm attempting to split these logs into indexes for each program. Basically the file structure in the folder looks like this:ProgramOne.exe.45624.1.username1.log.log
ProgramOne.exe.56782.1.username2.log.log
ProgramOne.exe.45624.1.username1.log.log.1
ProgramOne.exe.45624.1.username1.log.log.2
ProgramTwo.exe.95862.1.username3.log.log
ProgramTwo.exe.95862.1.username3.log.log.1
(\\SplunkUniversalForwarder\etc\system\local
) setup for it:[default]
host = server001
[monitor://c:\inHouseLogs\ProgramOne(.*)/.log$(.*)]
disabled = false
sourcetype = programOne_logs
index = programOne
[monitor://c:\inHouseLogs\ProgramTwo(.*)/.log$(.*)]
disabled = false
sourcetype = programTwo_logs
index = programTwo
[WinEventLog:Application]
disabled = 0
start_from = newest
index = system
[WinEventLog:System]
disabled = 0
current_only = 1
index = system
================================
Does this good or am I doing something wrong? Also should I be editing the indexes.conf in \etc\system\local
in or \etc\apps\search\local
Nelsonbarringer,
The regexes on the monitor header may not do what you want to do. The asterisk (*) matches anything in a single path segment while "..." will recurse through directories.
I think you'd be better off using whitelist and blacklist under your monitor stanzas.
Check here for more info on white/blacklisting: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!