The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Set permissions for roles to access specific indexes during distributed search | Next Topic: Splunk and Wireless access point
Posts 1–3 of 3
Can I have multiple directories using the same sourcetype?
We have application logs that are split into two locations. I want to have one sourcetype to access them both.
For Example:
[monitor:D:\Application\Logs\OldLogs]
sourcetype = appslogs
disabled = false
index=commonapps
[monitor:C:\Application\Logs\CurrentLogs]
sourcetype = applogs
disabled = false
index=commonapps
Any better ways of doing it?
Sure, that will work fine. The point of sourcetypes is to span across multiple sources.
Thanks!
The docs only mentioned Subdirectories, so I was a little worried about different directories.