Hi,
I have configured an app being pushed from deployment server to a remote Windows host to read DAT files.
Links already referenced:
http://splunk-base.splunk.com/answers/60643/archiveprocessor-bypassing-normal-systemlocalpropsconf-p...
https://answers.splunk.com/answers/55279/handling-text-dat-files-how-can-i-override-splunks-system-d...
The configuration looks like this :
props.conf
[source::....(dat)]
sourcetype = mysourcetype
inputs.conf
[default]
index = app
sourcetype = mysourcetype
[monitor://D:\folder\folder\Server34\encyc\status\*\*]
[monitor://C:\Anupama\status\...\...]
[monitor://C:\folder\status\*\*]
[monitor://C:\folder\status\*.dat]
It is weird that all the files in the folder getting read, except for the required DAT files.
Can someone help with the best configurations, please ?
I'd recommend reading here for best practices on monitor and wildcards :
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Specifyinputpathswithwildcards
Your monitors should look more like
[monitor://path*/*.dat]
sourcetype = mysourcetype
As for the source statement, this would re-sourcetype all dat files, however, Im not sure if your syntax is correct on this. Typically it should look more like
[source::.....dat]
Notice the 4 x "...." + ".dat". Your's doesnt have this, so Im not sure if its going to match correctly.
Out of curiosity, does your ".dat" contain ascii or binary data? Without pre-processing this into ascii / human readable format, it wont be worth indexing.
esix [Splunk] ,
Thanks for your inputs here.
Yes, the DAT file contains ACII value in readable format.
thanks