I turned on monitoring of /var/log, and when it gets to /var/log/yum.log, I am getting 3 different yum source types for my different systems. All systems are the same Linux flavor.
yum
yum-2
yum-too_small
This is messing with my field extractions.
What is causing this behavior?
Thanks.
If sourcetype is not explicitly defined in .conf files (inputs, props or transforms), splunk will automatically use the logfile name segment as sourcetype name. You can overwrite this by defining configs and settings in local directory inside the app.
I guess I assumed that by using the Linux T/A, I wouldn't have to worry about quarks like this?