Hi,
I'm trying to figure out where I'm going wrong with this. My setup consists of an indexer and several universal forwarders, all sending data to the same tcp port on the indexer. I would like to change sourcetypes for application data based on the source file it originates from, but I've read conflicting or unspecific information on whether I should alter props.conf on the indexer or each individual forwarder. I'm leaning towards the indexer because as far as I understand the sourcetype is not set until index-time and the forwarders are not processing the information in any significant way.
Regardless, I've tried both altering props.conf on both indexer and forwarders as follows:
An example source log file looks like:
/var/log/company/application1/application1.log
/var/log/company/application2/application2.log
...etc
So I've entered the following in props.conf for each application log:
[source::.../var/log/company/application#/application#.log*]
sourcetype = application#
Ive also tried without the wildcards, e.g:
[source::/var/log/company/application#/application#.log]
sourcetype = application#
But neither methods work - Splunk still uses the default sourcetypes. As far as I can tell both patterns should match a specific log file. Any ideas on where I'm going wrong or an easier method of achieving this would be appreciated!
... View more