Re: Monitor different sourcetype in sub-directorie...

lain179 · ‎06-11-2013

I have to monitor two source types in this following directory structure

\\Server\Path\{can be any name}.log == > sourcetype = FirstLog

\\Server\Path\SubPath\{can be any name}.csv == > sourcetype = SecondLog

How do I set up the inputs.conf? Right now, my first monitor for \\Server\Path is working but the next monitor for \\Server\Path\SubPath is not working.

JSapienza · ‎06-12-2013

Set the monitor specific to the file in your inputs.conf :

[monitor://\\Server\share\*.log]
sourcetype = FirstLog

[monitor://\\Server\Share\Directory\*.csv]
sourcetype = SecondLog

JSapienza · ‎06-13-2013

It was a suggestion is you are have trouble accessing the files by UNC path. I modified the example to reflect using a wildcard for the file name.

lain179 · ‎06-13-2013

Sorry, I don't understand what it has anything to do with my problem with assigning log files from subdirectories to different sourcetype.

*** Also I can't hard code the name of the log files because as I described log file name can vary. It can be any name.

JSapienza · ‎06-13-2013

The inputs.conf example should still work. If you are using UNC paths then you might want to take a look at this:
http://splunk-base.splunk.com/answers/35281/splunk-index-logs-from-network-drive

lain179 · ‎06-13-2013

Sorry, the slashes didn't show up correctly in my message. That's not what I need. I updated the message above.

Monitor different sourcetype in sub-directories

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio