- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- LINE_BREAKER for input on an universal forwarder?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LINE_BREAKER for input on an universal forwarder?
I have a few universal forwarders which tail a folder structure. They send the data to a indexer where also a searchhead is enabled.
I need to specify in props.conf a linebreaker like so
[xXx]
BREAK_ONLY_BEFORE = Event[
NO_BINARY_CHECK = 1 SHOULD_LINEMERGE =
true
I am confused as to where i have to specify this meaning in what place i have to add it to a props.conf.
Not on the universal forwarder i gather... but where on the indexer? in $splunkhome$/etc/apps/Splunk/Forwarder ???
To contain all the configuration items for that source/usergroup i created an app and placed this snipped in the apps' /local/props.conf but it fails to separate the events by the string and insted opts for the default which is the timestamp roughly two lines below. (hint: the source is a windows eventlog export that is stripped from the xml for readibility, we feed end user workstations' eventlogs to splunk via a custom store-and-forward mechanism)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things,
Does your regex match? I should recommend that you escape the opening square bracket, as it has special meaning in regex, like so;
[xXx]
BREAK_ONLY_BEFORE = Event\[
SHOULD_LINEMERGE = true is a default setting, so it is not strictly needed.
NO_BINARY_CHECK = 1 is only relevant in the input phase, so keep it there if your indexer is reading the files locally. If they're coming from a forwarder, this setting is ignored. But it won't hurt anything.
Alternatively:
Do you have the same [xXx] stanza configured anywhere with the BREAK_ONLY_BEFORE parameter set in a props.conf file that has higher precedence?
/etc/system/local
beats
/etc/apps/app_name/local
which in turn beats
/etc/system/default
See the docs on configuration file precedence;
http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for now i get very few logs (once per day a few events) till we ramp up so testing has been difficult. It would seem that the last change took a while to have effect. The last change was placing the props.conf into the custom app on the indexer. It should have worked before but perhaps it was just bad timing... ??? will continue to watch it. Thanks for the reply anyway.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under any app, in the local folder for example. Like:
$splunkhome$/etc/apps/search/local
or
$splunkhome$/etc/apps/myapp/local
It will work anyway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cool. that is what i did... why doesn't it work? 🙂
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
