Linux single file configuration
[monitor://\/opt\/ihub\/log.*is4i.data.*.log]
host_regex = .*\/(.*?)(?=\.)
index = IBMiIndex01
sourcetype = _json
disabled = false
You can set multiple monitor statements in the inputs.conf file to have the Universal Forwarder watch for files with different names or send them to different indexes, as shown here:
Windows multiple file configurations
This example has two monitor statements with the same style of file names, with files in separate subdirectories called ..log\IBM1 and ..log\IBM2. The data will be sent to different indexes:
[monitor:// C:\\Program Files\\Precisely\\Ironstream Hub\\log\IBM1.*is4i.data.*.log]
host_regex = .*\\(.*?)(?=\.)
index = IBMiProd
sourcetype = _json
disabled = false
[monitor:// C:\\Program Files\\Precisely\\Ironstream Hub\\log\IBM2.*is4i.data.*.log]
host_regex = .*\\(.*?)(?=\.)
index = IBMiNonProd
sourcetype = _json
disabled = false
Note: It is a requirement or limitation of Splunk that you use different names in each monitor statement or else only the last definition will be used. This is why the example above has subdirectories to hold data destined for different indexes.