Hello!
I have an application that sends two different .log files to the C:\\Program Files (x86)\\Application\_Data directory. The log files are
AAAAAA_MM_DD_YYYY_HH_mm_ss.log and BBBBB_MM_DD_YYYY_HH_mm_ss.log.
I need each log file to go to a separate index in Splunk and have the following inputs.conf configuration:
NOTE: Had to change "Program Files (x86)" to "PROGRA~2"....that took forever to figure out! Geez.
[monitor:///C:\\PROGRA~2\\Application\_Data\\AAAAAA*.log]
index=AAAAA_gui
disabled=false
sourcetype=AAAAA_gui.log
[monitor:///C:\\PROGRA~2\\Application\_Data\\BBBBB*.log]
index=BBBBB_app
disabled=false
sourcetype=BBBBB_app.log
If I remove one stanza, the remaining stanza forwards the appropriate data. If they are both in the inputs.conf, none are sent to splunk.
I've tried blacklist and whitelist on each.
I think that because these have wildcards, the monitor stanzas are "overlapping" in some way. So I would recommend this:
inputs.conf
[monitor:///C:\PROGRA~2\Application\_Data\]
whitelist=AAAAAA.*\.log$ | BBBBB.*\.log$
disabled=false
props.conf
[source::C:\PROGRA~2\Application\_Data\AAAAA*.log]
sourcetype=AAAAA_gui.log
[source::C:\PROGRA~2\Application\_Data\BBBBB*.log]
sourcetype=BBBBB_app.log
props.conf
[AAAAA_gui.log]
TRANSFORMS-AAAAA=send_to_index_AAAAA_gui
[BBBBB_app.log]
TRANSFORMS-BBBBB=send_to_index_BBBBB_app
transforms.conf
[send_to_index_AAAAA_gui]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=AAAAA_gui
[send_to_index_BBBBB_app]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=BBBBB_app
Are the files appearing in any index?
I appreciate the help; sorry for the several comments....I do not understand why there would be a character limit for replies in the forum............
I restarted the forwarder service.
On the splunk server/indexer:
props.conf was not located at:C:\\Program Files\\Splunk\\etc\\system\\local, so I created it as follows:
[AAAAA_gui.log]
TRANSFORMS-AAAAA=send_to_index_AAAAA_gui
[BBBBB_app.log]
TRANSFORMS-BBBBB=send_to_index_BBBBB_app
Additionally, transforms.conf was no in the C:\\Program Files\\Splunk\\etc\\system\\local, so I created it as follows:
[send_to_index_AAAAA_gui]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=AAAAA_gui
[send_to_index_BBBBB_app]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=BBBBB_app
No Success yet:
inputs.conf: C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\local
[default]
host = xxxxxx
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor:///C:\\PROGRA~2\\Application\_Data\]
whitelist=AAAAAA..log$ | BBBBB..log$
disabled=false
props.conf was not in the "C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\local" so I created it exactly as below:
[source::C:\\PROGRA~2\\Application\_Data\\AAAAA*.log]
sourcetype=AAAAA_gui.log
[source::C:\\PROGRA~2\\Application\_Data\\BBBBB*.log]
sourcetype=BBBBB_app.log