Hey everybody,
we have some problems with our inputs.conf for directory inputs in the following stanzas:
[monitor:///pathToLogs/*/fixedPath/logForSourcetype1*.log]
[monitor:///pathToLogs/*/fixedPath/logForSourcetype2*.log]
The goal here is to read the host and source type for the given input.
- host: through host_segment (first * in the stanzas)
- source type: through the name of the logfile(logForSourctype[1/2])
Our problem is, that as defined in the documentation, a monitor with wildcards gets separated into the monitor and a whitelist.
Therefore the stanzas will look like:
[monitor:///pathToLogs/]
whitelist = [^/]*/fixedPath/logForSourcetype1[^/]*\.log
and
[monitor:///pathToLogs/]
whitelist = [^/]*/fixedPath/logForSourcetype2[^/]*\.log
(see: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/Specifyinputpathswithwildcards#Wildcards_and_whitelisting)
As a result, both stanzas are equal and differ only in the whitelist.
Therefore the second stanza will overwrite the first, which can also be seen in the _internal logs.
We found a solution for equal stanzas in another Splunk question.
The proposition for equal stanzas and different sourcetypes was to define the sourcetype in props.conf through source.
(see: https://answers.splunk.com/answers/2692/3-monitor-stanzas-of-the-same-folder-but-only-one-sourcetype-getting-indexed-why.html)
However, the post was tailored for 4.1 and we would be interested to know if there were a better and more elegant solution for our problem.
... View more