|
Are there any reason to setup both I ask this because I notice that Splunk's unix app does this in both Splunk 4.0.10 and Splunk 4.1.1. Snipet from [fschange:/etc] index=os pollPeriod = 300 fullEvent = true filesPerDelay=5 delayInMills=100 [monitor:///etc] _whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$) index=os In 4.0, both of the inputs are enabled by default (once you enable the |
|
According to the docs for inputs.conf, this is not supported.
But, that said, the unix app does configure both inputs in spite of the docs saying it can't be done. 1
I think our preclusion of this behavior is basically stale. Given that we do it all over the place, and I think customers are doing it, it does work.
(05 May '10, 14:50)
jrodman ♦
So, any idea on why this is done, what advantage it provides?
(05 May '10, 17:51)
Lowell ♦
|
