I am having difficulty setting up my forwarder with a preloaded source type. I have identified the source type as "*access_combined*".
*On my inputs.conf on the forwarder I have something like this:*
[monitor:///home/user/dev/build/apps/testproduct/main/logs/jetty/*]
sourcetype = access_combined
disabled = false
*In my props.conf I have:*
[source::/home/user/dev/build/apps/testproduct/main/logs/jetty/jetty*.log]
sourcetype = access_combined
I imagined this would be sufficient for the forwarder configs - but the logs are not being forwarded.
So:
1. I am not sure what this means for the indexer configs. If I am using a preloaded sourcetype (access_combined), does it then still require inputs.conf and props.conf on the indexer?
2. Also how do I uniquely identify logs from my forwarder within the indexer even if they have a preloaded sourcetype?
Thanks
↧