- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Configuration of props.conf and input.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I am interested to upload two distinct files form multiple directories. I have done this previously by using Splunk-web, but now I am trying to do it by modifying props.conf and input.conf. So I have two files that have two different extension. So I believe my input.conf goes like this
[monitor://C:/User/.../Data/...]
index = my_index1
sourcetype = my_sourcetype1
whitelist = .tir$
initCrcLength = 4000
[monitor://C:/User/.../Data/...]
index = my_index2
sourcetype = my_sourcetype2
whitelist = .JobEvent$
initCrcLength = 4000
Both sourcetype are custom. The events are very long. I am no sure if I'm starting the stanza correctly with the sourcetype. Please let me know I if this look right.
[my_sourcetype1]
SHOULD_LINEMERGER = true
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
category = Custom
MAX_EVENTS = 100000
BREAK_ONLY_BEFORE = Massabeeldiabloporviejoquepordiablo
[my_sourcetype2]
SHOULD_LINEMERGER = true
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
category = Custom
MAX_EVENTS = 100000
BREAK_ONLY_BEFORE = Massabeeldiabloporviejoquepordiablo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IMHO, this should work but you may still find events broken/terminated/truncated due to other limits; see here:
http://answers.splunk.com/answers/4162/size-limit-for-an-event.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IMHO, this should work but you may still find events broken/terminated/truncated due to other limits; see here:
http://answers.splunk.com/answers/4162/size-limit-for-an-event.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For now I cannot do much about those long files. In the future my plan is to parse all those files and create new files with a different structure/format that would be easier to divide them in multiple events, but that's another project. Thanks for your response.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
