Community:Monitoring a mixed sourcetype directory

From Splunk Wiki

Jump to: navigation, search

Monitoring a mixed directory and sourcetyping by pattern

In splunk 3.x and 4.0.x, since overlapping inputs aren't supported, you cannot do this: 

[monitor:///var/log]
sourctype = syslog

[monitor:///var/log/apache]
sourcetype = apache


You also can't do 

[monitor:///logdirs/*.apache]
sourcetype = syslog

[monitor:///logdirs/*.syslog]
sourcetype = syslog

White/blacklists also don't solve this.

So instead, the solution is to capture all the files in the directory with one input stanza, and then break out the sourcetypes in props.conf: 

inputs.conf:

[monitor:///logdirs/]
# get files ending in .apache or .syslog
_whitelist = \.(apache|syslog)$

props.conf:

[source::/logdirs/....apache]
sourcetype = apache

source::/logdirs/....syslog]
sourcetype = syslog

# ..... breaks down into ... (anything) 
# and . (a literal '.' in the filename)
Retrieved from "http://wiki.splunk.com/Community:Monitoring_a_mixed_sourcetype_directory"
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk