I have a few universal forwarders which tail a folder structure. They send the data to a indexer where also a searchhead is enabled.
I need to specify in props.conf a linebreaker like so
[xXx]
BREAK_ONLY_BEFORE = Event[
NO_BINARY_CHECK = 1 SHOULD_LINEMERGE =
true
I am confused as to where i have to specify this meaning in what place i have to add it to a props.conf.
Not on the universal forwarder i gather... but where on the indexer? in $splunkhome$/etc/apps/Splunk/Forwarder ???
To contain all the configuration items for that source/usergroup i created an app and placed this snipped in the apps' /local/props.conf but it fails to separate the events by the string and insted opts for the default which is the timestamp roughly two lines below. (hint: the source is a windows eventlog export that is stripped from the xml for readibility, we feed end user workstations' eventlogs to splunk via a custom store-and-forward mechanism)
Two things,
Does your regex match? I should recommend that you escape the opening square bracket, as it has special meaning in regex, like so;
[xXx]
BREAK_ONLY_BEFORE = Event\[
SHOULD_LINEMERGE = true
is a default setting, so it is not strictly needed.
NO_BINARY_CHECK = 1
is only relevant in the input phase, so keep it there if your indexer is reading the files locally. If they're coming from a forwarder, this setting is ignored. But it won't hurt anything.
Alternatively:
Do you have the same [xXx]
stanza configured anywhere with the BREAK_ONLY_BEFORE parameter set in a props.conf file that has higher precedence?
/etc/system/local
beats
/etc/apps/app_name/local
which in turn beats
/etc/system/default
See the docs on configuration file precedence;
http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles
/K
for now i get very few logs (once per day a few events) till we ramp up so testing has been difficult. It would seem that the last change took a while to have effect. The last change was placing the props.conf into the custom app on the indexer. It should have worked before but perhaps it was just bad timing... ??? will continue to watch it. Thanks for the reply anyway.
Under any app, in the local folder for example. Like:
$splunkhome$/etc/apps/search/local
or
$splunkhome$/etc/apps/myapp/local
It will work anyway
cool. that is what i did... why doesn't it work? 🙂