I have the universal forwarder installed on a Windows 2012 server. I am trying to monitor a log directory for a custom application. The application creates a new log file for each month, so I have many text files in the folder that look like 201808.txt, 201807.txt, 201806.txt, etc.
When I monitor the directory, instead of hardcoding the sourcetype that I am telling splunk to do, it is instead setting the sourcetype to the filename. How can I fix this?
On the Windows Server, inputs.conf:
[monitor://C:\BlueIris\log]
disabled = false
sourcetype = blueiris
On the indexer, props.conf:
[blueiris]
sourcetype = blueiris
↧