I'm currently looking at deploying some changes to ease management of input files in our environment. I've confirmed that the only way to bring in multiple whitelisted files, and think them with a source type, is to use a source stanza under props.conf. From what I've read, and tested, the sources props.conf would have to run on the forwarder instead of the indexers.
Has anyone tested the affects of the source stanza and resource utilization on a forwarder?
Here is an example of our configs.
INPUTS.CONF
[default]
index = my_index
[monitor:///export2/MyApp/*/logs/]
whitelist = MyApp[^/]*\.log|perflog\.txt[^/]*
followSymlink = false
disabled = 0
----------
PROPS.CONF
[source::.../MyApp*]
sourcetype = my_index:agent
[source::.../Auto*]
sourcetype = my_index:auto
[source::.../MyAppManager*]
sourcetype = my_index:manager
[source::.../MyAppWeb*]
sourcetype = my_index:web
[source::.../perflog.txt*]
sourcetype = my_index:perflog
↧