Getting Data In

Multiple error_log files

rwssoccer1
New Member

Maybe you can help me out with something. I have multiple files of the same type, error_log files, that are named different. An example would be /var/log/httpd/error_log, /var/log/httpd/error_log-1..etc.....the data input is set to be "/var/log/httpd/error_log*" what is the best way do this instead of having separate sources for these logs to have it under one source called access_log?

Tags (1)
0 Karma
1 Solution

simuvid
Splunk Employee
Splunk Employee

You can simply override the source setting either in the UI, while defining the new DataIput, or in the inputs.conf file, with something like:

[monitor:/var/log/httpd/error_log*]
disabled = false
followTail = 1
host = apache-1.splunk.com
sourcetype = access_combined
source = access_log

Hope that helps?

Cheers,

simuvid

View solution in original post

simuvid
Splunk Employee
Splunk Employee

You can simply override the source setting either in the UI, while defining the new DataIput, or in the inputs.conf file, with something like:

[monitor:/var/log/httpd/error_log*]
disabled = false
followTail = 1
host = apache-1.splunk.com
sourcetype = access_combined
source = access_log

Hope that helps?

Cheers,

simuvid

rwssoccer1
New Member

Awesome! works like a charm.. Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...