Hi,
I have configured an app being pushed from deployment server to a remote Windows host to read DAT files.
Links already refrred :
http://splunk-base.splunk.com/answers/60643/archiveprocessor-bypassing-normal-systemlocalpropsconf-processing-for-dat-files-inside-archives-434
https://answers.splunk.com/answers/55279/handling-text-dat-files-how-can-i-override-splunks-system-default-props-conf-configuration-for-just-a-single-app.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
The configuration looks like this :
props.conf
[source::....(dat)]
sourcetype = mysourcetype
inputs.conf
[default]
index = app
sourcetype = mysourcetype
[monitor://D:\folder\folder\Server34\encyc\status\*\*]
[monitor://C:\Anupama\status\...\...]
[monitor://C:\folder\status\*\*]
[monitor://C:\folder\status\*.dat]
It is weird that all the files in the folder getting read, except for the required DAT files.
Can someone help with the best configurations, please ?
↧