Is there a config to index a full logfile regardless the content? I tried MAX_EVENTS=3000 only but it looks that this one needs a BREAK variable as well.
Use:
TRUNCATE = 9999999999999
LINE_BREAKER = (?!)
You could use:
MAX_EVENTS = 99999999
BREAK_ONLY_BEFORE = (?!)
But the former is much more efficient for Splunk to perform. (?!)
is a PCRE regular expression that will always fail to match.
I'm trying to do the same thing. I want Splunk to index a bunch of individual rule files. My props.conf looks like this:
[nessus_plugins] TRUNCATE = 0 LINE_BREAKER = (?!) SHOULD_LINEMERGE = false
But Splunk still keeps breaking the file into chunks. I can't figure out the logic of it either. Sometimes it will split the file after 16 events or so. Other times it'll do a couple hundred lines...
Any thoughts?
Craig
There is a much elegant solution to address your issue Starlette.
In your props.conf, have this stanza
[your_currently_defined_stanza] TRUNCATE = 0 LINE_BREAKER = (?!)
The reason of using this is because we'll never know how long is long enough. So TRUNCATE = 0 tells Splunk not to break the lines at all.
Look for TRUNCATE in the following webpage http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Propsconf
Use:
TRUNCATE = 9999999999999
LINE_BREAKER = (?!)
You could use:
MAX_EVENTS = 99999999
BREAK_ONLY_BEFORE = (?!)
But the former is much more efficient for Splunk to perform. (?!)
is a PCRE regular expression that will always fail to match.