When monitoring directories that contain mixed file types, the sourcetype setting should be omitted from inputs.conf and instead overridden in props.conf. This is because props.conf is specifically designed for advanced data parsing and classification, including overriding or configuring the source type for incoming data. By defining sourcetype in props.conf, you can apply more granular rules or dynamic recognition based on the characteristics of the data being ingested. This approach avoids conflicts and ensures proper handling of mixed file types
I would like to add here, that even if you can redefine host in props.conf based on folloing
<props.conf>
<!-- Overriding automated host and source type matching. You can use props.conf to:
Configure advanced (regular expression-based) host and source type overrides.-->
host will be kept in the inputs.conf with default value. Only source type might be omitted without any consequences.
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cagdaskarabag
1 month, 2 weeks agoBOSS2107
1 week, 1 day ago