Hello guys.
I am new to Splunk. Let me introduce my problem. I have installed Splunk Light Free on the server (based on Windows Server 2012 Std, hostname: logs.xxx.com) and universal forwarder on the machine with logs (based on Windows Server 2012 Std, hostname: myapplogs.xxx.com).
Machine with logs (where UF installed) have 2 folders, e.g.
C:\MyApp\API
C:\MyApp\Service
Logs location looks like:
C:\MyApp\API\Shared\log\*.log
C:\MyApp\Service\Shared\log\2015-10-19\*.log
where `2015-10-19` - today date. New folder is created everyday.
How can I monitor these two paths with wildcards and send logs from there to:
logs.xxx.com:9990 - for API logs
logs.xxx.com: 9991- for Service logs
I wrote some configs:
Splunk inputs.conf:
[splunktcp://9990]
index = myapp
sourcetype = myapp_api
[splunktcp://9991]
index = myapp
sourcetype = myapp_service
UF inputs.conf:
[monitor://C:\\MyApp\\API\\Shared\\log\\*.log]
_TCP_ROUTING = MyApp_API
disabled = false
index = myapp
sourcetype = myapp_api
[monitor://C:\\MyApp\\Service\\Shared\\log\\...\\*.log]
_TCP_ROUTING = MyApp_Service
disabled = false
index = myapp
sourcetype = myapp_service
UF outputs.conf:
[tcpout:MyApp_API]
server = logs.xxx.com:9990
useACK = true
[tcpout:MyApp_Service]
server = logs.xxx.com:9991
useACK = true
But this configuration did not work properly. My folders are not monitored correctly. Instead, Splunk monitors folder, e.g. `C:\MyApp\Api\Builds` And in Splunk, sourcetypes are not assigned properly. Instead of `myapp_api`, I have `sourcetype=2015-10-19`.
Please help me to fix configs. I am a newbie in Splunk.
↧