Refine your search:

Overlapping Inputs With Different Charset

0

Hi, All. I have an overlapping path issue in Windows that I might need some assist on.

I have the contents of two directories which need monitoring (all files have the .log extension):

  • C:Program FilesMyAppClientConnLog
  • C:Program FilesMyAppClientreport

Looks like Splunk has issues with overlapping monitor inputs[1], so I can't monitor the directories with separate input stanzas. The files in the 'report' directory have (for whatever reason) ISO-8859-1 encoding. Splunk requires a separate props.conf directive so the log files are read correctly.

I'm unable to set the input to the parent directory (like "C:Program FilesMyAppClient") since the character set change in the report/ directory. Also, there are other files which I don't want to read from the parent directory.

Here's an example (not-really-working) configuration I'm using at the moment.

Have any thoughts on how I will be able to read the contents of both directories as well as read the report directory with the appropriate character set intact?

-- inputs.conf

[monitor://C:\Program Files\MyApp\Client\ConnLog]
sourcetype = conn_log
followTail = 1
crcSalt = <source>

[monitor://C:\Program Files\MyApp\Client\report]
sourcetype = report_log
followTail = 1
crcSalt = <source>

-- props.conf

[source::C:\Program Files\MyApp\Client\report]
CHARSET = ISO-8859-1

[1] http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories

asked 01 May '12, 08:28

tgiles's gravatar image

tgiles
133112
accept rate: 14%

One Answer:
oldestnewestmost voted
0

This should work, you can maybe try setting the character set by using sourcetype instead of source:

[report_log]
CHARSET = ISO-8859-1

Make sure that you added the props.conf file on the forwarder, not the indexer.

link

answered 01 May '12, 11:04

bojanz's gravatar image

bojanz
1.1k1216
accept rate: 40%

hi, Thanks for the input.

unfortunately, adding the CHARSET directive into the sourcetype does nothing for me- the entries show up as line noise, just like if the directive wasn't set.

(04 May '12, 08:36) tgiles
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×433
×249
×2

Asked: 01 May '12, 08:28

Seen: 536 times

Last updated: 04 May '12, 08:36

Related questions

Charset Encoding

overlapping directives in inputs.conf

Windows/Linux scripted inputs and setup.xml

Problem with hostname field for Windows inputs

Deleting data inputs

Inputs layout

Disappearing logs?

Whitelisting and blacklisting input files

Best way to toggle inputs?

Copyright © 2005-2012 Splunk Inc. All rights reserved.