Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can multiple sourcetypes be monitored from the same path

tim9gray
Explorer
‎08-19-2013 07:53 PM

I know that this question has been asked quite a few times, but I have not been able to resolve this. Can I monitor multiple sourcetypes from the same path? The answer seems to be yes, but this just wont work for me.

If I specify two monitors that reference the same directory, I only get data from the second monitor stanza in my inputs.conf. I suspect there is something subtle happening here I have not picked up on. Does anyone have any suggestions? Below is an example
of the inputs.conf I have been using.

[monitor:///home/bob/time_data.csv]
sourcetype = DGC_TIME
index=main

[monitor:///home/bob/pulse_data.csv]
sourcetype = DGC_PULSE
index=main

0 Karma
Reply

HiroshiSatoh
Champion
‎08-20-2013 06:10 PM

I tried in the same setting, but it went well. This is version 5.0.3 of the Linux.

However, it failed the wrong character encoding of the CSV file first.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-20-2013 12:57 AM

To find out what the TailingProcessor is (not) doing, you can look in the splunkd.log or perhaps more easily query the REST interface directly:

Go to the machine where the inputs.conf file is at (forwarder or indexer). You need to authenticate with the correct admin password for that instance (admin/changeme) if still at default.

https://your_host:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Scroll down until you find your file and the corresponding status message.

This link may also be helpful;

http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

/K

Reply

tim9gray
Explorer
‎08-24-2013 08:08 AM

I figured it out. The files I was interested in all started with exactly the first eleven lines, so Splunk thought they were all the same file. I had to use the crcsalt option in inputs.conf.

0 Karma
Reply

gfuente
Motivator
‎08-20-2013 12:20 AM

Hello

For sure you can do that, and for your particular problem, i would check file permissions, as your configuration appears to be fine.

Regards

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...