Hi,
I am not able to send my logfile into 2 sourcetypes (json and non-json). Below is my config. I know the fix might be a simple one. It's just that I am not getting anywhere near it. Need your expertise solution.
:::::::::::::::::inputs.conf:::::::::::::::: **Only 1** monitor stanza is being picked. How can I parse the log file into two source types? Or any better solution?
[monitor://\\server1\sdata$\]
sourcetype = Custom_W22
index=0_nojson
whitelist = (app1.log)
recursive=false
interval = 10
crcSalt =
[monitor://\\server1\sdata$]
sourcetype = myjson
index=0_myjson
whitelist = (\app1.log)
recursive=false
interval = 10
crcSalt =
::::::::::::props.conf::::::::::::::::::::::::::::::
-----Here I have used current DATETIME_CONFIG which ignores my timestamps. I can fix the timestamps after indexing. Otherwise, the parsing was slow---------
[Custom_W22]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Miscellaneous
TRANSFORMS-set = discardAll,queue2resp
disabled = false
pulldown_type = true
DATETIME_CONFIG = CURRENT
TRUNCATE = 100000
[myjson]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
NO_BINARY_CHECK = true
category = Custom
description = myjson custom
disabled = false
pulldown_type = true
TRUNCATE = 100000
MAX_EVENTS = 10000
::::::::::::::::::transforms.conf::::::::::::::::::::::::::
[discardAll]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[queue2resp]
REGEX=(\