When I configure Splunk to index a folder containing config files and text documents, it indexes each line of the files as separate events. I would like to index each file as its own event, allowing me to use diff and other commands to itemize changes to the files. Once Splunk is integrated with our ticketing system, it can then determine if changes were authorized, and it can then alert the appropriate team, accordingly.
Here's a props.conf trick that's used by the *NIX app to consume long outputs as a single entry. A stanza like the following will allow you to consume your entire config file or document as a single event. Be sure to manually set your sourcetype on the Data Input to whatever you use in your stanza (myconfigs in the example):
[myconfigs]
SHOULD_LINEMERGE=false
LINE_BREAKER=(?=!)
TRUNCATE=1000000
Here's a props.conf trick that's used by the *NIX app to consume long outputs as a single entry. A stanza like the following will allow you to consume your entire config file or document as a single event. Be sure to manually set your sourcetype on the Data Input to whatever you use in your stanza (myconfigs in the example):
[myconfigs]
SHOULD_LINEMERGE=false
LINE_BREAKER=(?=!)
TRUNCATE=1000000
corrected LINE_BREAKER regex from (?=)
to (?!)
. Basically, you want a regex that will never match as the LINE_BREAKER, i.e., you never want to break a line.