Hello
I have two apps apache_forwarder and apache_unified_forwarder. I am getting ready to retire the apache_unified_forwarder app but there are a few issues in inputs.conf that need to be resolved first.
I need to combine the sourcetypes. How would I combine this stanza without breaking sourcetyping or duplicating data:
[monitor:///var/log/httpd/ssl_access_log]
disabled = false
sourcetype = s_apache
index = apache_access_logs
recursive=false
whitelist = /ssl_access_log$
followSymlink = false
into
[monitor:///var/log/httpd/access_log]
disabled = false
followTail = 0
sourcetype = access_combined
index = apache_access_logs
recursive=false
followSymlink = false
whitelist=access_log$
blacklist=ssl
[monitor:///var/log/httpd/error_log]
disabled = false
followTail = 0
sourcetype = apache_error
index = apache_access_logs
recursive=false
followSymlink = false
[monitor:///var/log/httpd/ssl_access_log]
disabled = false
followTail = 0
sourcetype = apache_combined
index = apache_access_logs
recursive=false
followSymlink = false
whitelist=ssl_access_log$
[monitor:///var/log/httpd/mod_jk.log]
disabled = false
followTail = 0
sourcetype = mod_jk
index = mod_jk
recursive=false
followSymlink = false
I am sure you can figure something out using sourcetype renaming
which allows you to see both the original as field _sourcetype
and the renamed one as field sourcetype
:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Renamesourcetypes
Yes I found that, the problem is that any savedsearch/dashboard/alert that uses sourcetype=whatever will have to be found and changed.
Thanks for the link, much appreciated.