Hi,
Please help me troubleshoot.
WHAT I NEED: I have to assign sourcetypes based on the log file being read into Splunk.
The mapping I am supposed to use is given below,
(Please click on file at end of question to view clearly)
WHAT IS MY ISSUE: The logs are not getting uploaded into Splunk (maybe because regex is not allowed in monitor://).
WHAT I HAVE USED:
The inputs.conf I am using is as given below,
[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_access_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:infaccess
[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_error_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:inferror
[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_direct_access_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:infdirectaccess
[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_perf_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:infperf
[monitor://cib\logs\WebLogs\retailCustomerProfile-Audit-(un)?mana[\w\d-.]*log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:jvmaudit
[monitor://cib\logs\WebLogs\retailCustomerProfile-(un)?mana[\w\d-.]*log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:jvm
[monitor://cib\logs\WebLogs\retailCustomerProfile-Performance-(un)?mana[\w\d-.]*log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:jvmperf
Thanks,
Deepak
One possible solution, if all else fails, is to bring everything in as one sourcetype, then modify the sourcetype at index time via a transform.
inputs.conf:
[montitor:///<your path]
sourcetype = tempsourcetype
props.conf:
[tempsourcetype]
TRANSFORMS-set_st = set_st_infaccess,set_st_inferror
transforms.conf:
[set_st_infaccess]
REGEX = cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_access_log$
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::app:WRWFP:infaccess
[set_st_inferror]
REGEX = cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_error_log$
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::app:WRWFP:inferror
You would create one transform per source regex/sourcetype combination.