Declaring sourcetype in inputs.conf for a */ directory

StackOverflow https://stackoverflow.com/questions/22154075

  •  19-10-2022
  •  | 
  •  

Domanda

I have an inputs.conf that looks something like this:

[monitor:///var/www/site/shared/log/*]                              
disabled = false                                                        
followTail = 1                                                          
sourcetype=rails                                                        
crcSalt = <SOURCE>                                                      

[monitor:///var/www/site/shared/log/resque_events.log]      
disabled = false                                                        
followTail = 1                                                          
sourcetype=json_predefined_timestamp                                    
crcSalt = <SOURCE>

A couple questions: Does splunk double up indexing the resque_events.log? Is splunk smart enough to figure out that source type from the initial parsing, or do I need declare it like I did?

I'm not sure if this is redundant, I'm looking for guidance here.

Thanks in advance!

È stato utile?

Soluzione

For inputs.conf, the more specific monitor path will override the general one, therefore your resque_events.log will have the json_predefined_timestamp sourcetype.

If you want to see how Splunk reads your inputs.conf, then try the following command:

./splunk cmd btool inputs list --debug

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top