So my goal is to be able to pass a file to a splunk-monitored directory.. and have splunk apply it to the appropriate index and sourcetype...by a sort of naming convention.
file would come in as "indexname_sourcetype_filename.txt" or whatever... and my inputs.conf would do the appropriate thing.
is this possible?
asked 09 Sep '10, 18:33
Yes, this should be possible. It would be something along these lines:
And then in props.conf:
answered 09 Sep '10, 20:43