Hello,
I am trying to index following files:
c:\test\access.log
c:\test\access_00.0.log
c:\test\access_00.0.trc
c:\test\log\responses_01.0.trc
c:\test\log\responses_01.0.log
The sourcetypes for those files are:
c:\test\access.log --> SAP
c:\test\access_00.0.log --> SAP
c:\test\access_00.0.trc --> SAP
c:\test\log\responses_01.0.trc --> SAPResponse
c:\test\log\responses_01.0.log --> SAP
My inputs.conf file is following:
[monitor://C:\test\]
recursive = false
index = sap
disabled = false
whitelist=\.log$|\.trc$
ignoreOlderThan = 1d
[monitor://C:\test\log\]
recursive = true
index = sap
disabled = false
whitelist=\.log$|\.trc$
ignoreOlderThan = 1d
And my props.conf
[source::...\.log$]
sourcetype = SAP
[source::.../access_*.*.trc.*$]
sourcetype = SAPResponse
When files are indexed all them have the "default" sourcetype and it´s not the right ones that I have defined in props. Any idea why?
Thanks in advance,
thanks for the suggestions provided. At the end, I have found the solution:
In inputs.conf
[monitor://C:\test2]
recursive = true
index = sap
disabled = false
whitelist=(.log|.trc)$
ignoreOlderThan = 1d
In props.conf
[source::C:\test2\log\resp*trc]
sourcetype = SAPResponse
priority = 10
[source::....(log*|trc*)]
sourcetype = SAP
priority = 5
Now Splunk gets the files and assign the right sourcetype for each file here.
thanks for the suggestions provided. At the end, I have found the solution:
In inputs.conf
[monitor://C:\test2]
recursive = true
index = sap
disabled = false
whitelist=(.log|.trc)$
ignoreOlderThan = 1d
In props.conf
[source::C:\test2\log\resp*trc]
sourcetype = SAPResponse
priority = 10
[source::....(log*|trc*)]
sourcetype = SAP
priority = 5
Now Splunk gets the files and assign the right sourcetype for each file here.
You probably want to specify sourcetype in your monitor
stanza, creating new stanzas as necessary. You can use a TRANSFORMS
action in props.conf
to accomplish this, but for your needs I don't think it should be necessary.
Look at inputs.conf for how you can use ..
and ...
with wildcards to accomplish what you need here.
What kind of forwarder you're using? Try putting pros.conf changes on Indexers.
Also, give this a try
inputs.conf on forwarder
[monitor://C:\test\access*.log]
recursive = false
index = sap
sourcetype = SAP
disabled = false
ignoreOlderThan = 1d
[monitor://C:\test\access*.trc]
recursive = false
index = sap
sourcetype = SAP
disabled = false
ignoreOlderThan = 1d
[monitor://C:\test\log\responses*.log]
recursive = false
index = sap
sourcetype = SAP
disabled = false
ignoreOlderThan = 1d
[monitor://C:\test\log\responses*.trc]
recursive = false
index = sap
sourcetype = SAPResponse
disabled = false
ignoreOlderThan = 1d