Hi, All. I have an overlapping path issue in Windows that I might need some assist on.
I have the contents of two directories which need monitoring (all files have the .log extension):
Looks like Splunk has issues with overlapping monitor inputs, so I can't monitor the directories with separate input stanzas. The files in the 'report' directory have (for whatever reason) ISO-8859-1 encoding. Splunk requires a separate props.conf directive so the log files are read correctly.
I'm unable to set the input to the parent directory (like "C:Program FilesMyAppClient") since the character set change in the report/ directory. Also, there are other files which I don't want to read from the parent directory.
Here's an example (not-really-working) configuration I'm using at the moment.
Have any thoughts on how I will be able to read the contents of both directories as well as read the report directory with the appropriate character set intact?
asked 01 May '12, 08:28
This should work, you can maybe try setting the character set by using sourcetype instead of source:
Make sure that you added the props.conf file on the forwarder, not the indexer.
answered 01 May '12, 11:04