Question

I have an inputs.conf that looks something like this:

[monitor:///var/www/site/shared/log/*]                              
disabled = false                                                        
followTail = 1                                                          
sourcetype=rails                                                        
crcSalt = <SOURCE>                                                      

[monitor:///var/www/site/shared/log/resque_events.log]      
disabled = false                                                        
followTail = 1                                                          
sourcetype=json_predefined_timestamp                                    
crcSalt = <SOURCE>

A couple questions: Does splunk double up indexing the resque_events.log? Is splunk smart enough to figure out that source type from the initial parsing, or do I need declare it like I did?

I'm not sure if this is redundant, I'm looking for guidance here.

Thanks in advance!

Was it helpful?

Solution

For inputs.conf, the more specific monitor path will override the general one, therefore your resque_events.log will have the json_predefined_timestamp sourcetype.

If you want to see how Splunk reads your inputs.conf, then try the following command:

./splunk cmd btool inputs list --debug

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top