I have a large number of Universal Forwarders that forward Apache access logs. On my systems, the apache access logs are named
To simplify our environment a bit, I want to change our apache app to index "-access.log" or maybe even "*access". If I do the latter ("access") and restart the forwarder, will Splunk re-index all of the access log files? I do not want it to.
Thanks!
The fishbucket will keep track of what files have been indexed, and I don't think that it will care too much regarding the exact [monitor]
stanza wording. Determining if a file has been read or not is more of an issue about checksums of the actual file(s) being monitored.
http://wiki.splunk.com/Community:HowSplunkReadsInputFiles
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/
One thing, though. If you create a common [monitor]
for <hostname>-access.log
and <hostname>-ssl-access.log
, they would have to share the same sourcetype, which can be fine, if the contents (read: columns) of the file are the same. Have a read here as well;
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whysourcetypesmatter
/Kristian
Kristian,
Thank you for the helpful reply. Yes, I understand they would be sharing a common sourcetype, and I am fine with that. I was more concerned with duplicate entries, which from you describe shouldn't be an issue.
Thanks again!