Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple monitor stanzas with wildcard and single file in inputs.conf

splunkreal
Motivator
‎10-24-2023 08:07 AM

Hello,

is it possible to have mydirectory\*.log monitor stanza to route data to usual indexers (or any specific monitor stanza) AND another specific mydirectory\file.log to another specific _TCP_ROUTING ?

Thanks.

 

* If this helps, please upvote or accept solution if it solved *
Labels (5)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-25-2023 02:36 PM

Yep, I'm pretty sure. If you "overlap" the same file within two separate stanzas it will get monitored only once.

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2023 12:06 AM

Hi @splunkreal ,

it shoudl be possible using two _TCP_ROUTING items in the inputs.conf pointing to the two different destinations, obviously in different Indexers.

but in this way you pay twice the license because data is indexed twice.

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... 

Ciao.

Giuseppe

Reply

splunkreal
Motivator
‎10-25-2023 12:37 AM

Hi @gcusello  great thanks, however may it work if we set different index for the secondary stanza?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2023 12:43 AM

Hi @splunkreal ,

for my knowledge different Indexers, not indexes.

There's no sense to duplicate logs in two indexes of the same Indexers.

But you have to set the same index name beacuse you really set on index in the input stanza.

If you want to have a different index name on the second Indexers, you have to override this value on it. 

Ciao.

Giuseppe

Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2023 08:44 AM

I don't think you can monitor the same "base path" twice.

An ugly hack to walk around that is to use (hard/soft) links

0 Karma
Reply

splunkreal
Motivator
‎10-24-2023 10:17 AM

Are you sure? The stanza is different yet... or we must detail all monitored logs?

Thanks! 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...