Under inputs.conf on Universal Forwarder (UF), i have these config as below:-
1.) [monitor:///var/home/jboss/logs/*.log]
disabled = false
followTail = 0
sourcetype= xyz
2.) [monitor:///export/home/tomcat/*.log]
disabled = false
followTail = 0
index = abc_tomcat
sourcetype = pqrs
My questions are ,
a.) index is not configured in 1st monitor stanza whereas index is configured in 2nd monitor stanza, so where will the 1st monitor stanza logs will be going , to the main_index ?
b.) is this really a good configuration ?
c.) do we really need followTail=0 , this option is only used by Splunk for the first time it is monitoring this log which says to read from first line
d) any Suggestions to change this configuration of monitor stanza ?
↧
