We have a very simple inputs.conf stanza setup to monitor a file system:
[monitor:|path|]
disabled = false
index = Index1
What I've noted is that this has resulted in many different sourcetypes for our data. Based on my research I believe I need to define the sourcetype in inputs.conf
However, what's confusing me is that the "learned" sourcetypes are defined in props.conf and sourcetypes.conf on the Universal Forwarder rather than on the Indexers.
On the UF there is a sourcetypes.conf stanza:
[||filepath|]
L-//_::.*t._ = 0.322842
L-//_::._t._ = 0.101574
_source = |filepath|
_sourcetype = |typename-15|
And an props.conf stanza:
[typename-15]
CHARSET = UTF-8
MAX_TIMESTAMP_LOOKAHEAD = 42
is_valid = True
This leads me to two questions:
1. When I define my actual sourcetype I should only define a stanza in props.conf on the INDEXER, correct? Define the inputs.conf with my location to monitor and sourcetype and nothing else?
2. Shouldn't MAX_TIMESTAMP_LOOKAHEAD be part of the parsing logic needed on the Indexer? What is this doing on the UF which, I thought, only sends the data to the Indexer?
↧