Skip to main content
Sumo Logic

Use Multiple JSON Files to Configure Sources (syncSources)

Sumo Logic can read from multiple JSON files to configure your Sources. You specify the folder or directory and provide a single Source per JSON file. This is done using the syncSources parameter. 

To use JSON to configure multiple Sources:

  1. Assign the syncSources parameter to include the folder or directory where your JSON files will be stored. For example, if you want to store your JSON files in the location C$\ProgramData\SumoLogic\sources\, specify the following value for syncSources. (Because this example is for a Windows machine, you must escape the backslashes.)
syncSources=C:\\ProgramData\\SumoLogic\\sources\\
  1. Modify your JSON files, if needed, so that each configures only one Source. Change the sources parameter to source and remove the array brackets. The following example shows a Local Windows Event Source JSON configuration.
{
"api.version": "v1",
"source":
{
"name": "localWinEvent",
"category": "OS/Windows",
"automaticDateParsing": true,
"multilineProcessingEnabled": true,
"useAutolineMatching": true,
"forceTimeZone": false,
"timeZone": "America/New_York",
"filters": [
{
"filterType": "Exclude",
"name": "ts.backup",
"regexp": ".*ts\\.backup.*"
}
],
"cutoffRelativeTime":"-1h",
"encoding": "UTF-8",
"logNames": [
"System",
"Application",
"Security",
"Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational",
"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
],
"sourceType": "LocalWindowsEventLog"
}
}