Getting Data In

LINE_BREAKER for input on an universal forwarder?

dominiquevocat
Motivator

I have a few universal forwarders which tail a folder structure. They send the data to a indexer where also a searchhead is enabled.

I need to specify in props.conf a linebreaker like so

[xXx]
BREAK_ONLY_BEFORE = Event[
NO_BINARY_CHECK = 1 SHOULD_LINEMERGE =
true

I am confused as to where i have to specify this meaning in what place i have to add it to a props.conf.

Not on the universal forwarder i gather... but where on the indexer? in $splunkhome$/etc/apps/Splunk/Forwarder ???

To contain all the configuration items for that source/usergroup i created an app and placed this snipped in the apps' /local/props.conf but it fails to separate the events by the string and insted opts for the default which is the timestamp roughly two lines below. (hint: the source is a windows eventlog export that is stripped from the xml for readibility, we feed end user workstations' eventlogs to splunk via a custom store-and-forward mechanism)

0 Karma

kristian_kolb
Ultra Champion

Two things,

Does your regex match? I should recommend that you escape the opening square bracket, as it has special meaning in regex, like so;

[xXx]
BREAK_ONLY_BEFORE = Event\[

SHOULD_LINEMERGE = true is a default setting, so it is not strictly needed.

NO_BINARY_CHECK = 1 is only relevant in the input phase, so keep it there if your indexer is reading the files locally. If they're coming from a forwarder, this setting is ignored. But it won't hurt anything.

Alternatively:

Do you have the same [xXx] stanza configured anywhere with the BREAK_ONLY_BEFORE parameter set in a props.conf file that has higher precedence?

/etc/system/local

beats

/etc/apps/app_name/local

which in turn beats

/etc/system/default

See the docs on configuration file precedence;

http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles

/K

0 Karma

dominiquevocat
Motivator

for now i get very few logs (once per day a few events) till we ramp up so testing has been difficult. It would seem that the last change took a while to have effect. The last change was placing the props.conf into the custom app on the indexer. It should have worked before but perhaps it was just bad timing... ??? will continue to watch it. Thanks for the reply anyway.

0 Karma

gfuente
Motivator

Under any app, in the local folder for example. Like:
$splunkhome$/etc/apps/search/local

or

$splunkhome$/etc/apps/myapp/local

It will work anyway

0 Karma

dominiquevocat
Motivator

cool. that is what i did... why doesn't it work? 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...