Hey everyone,
So I have a script that generates status logs for a few network devices that my Splunk forwarder grabs, but every now and again something screws it up and it garbles the entry. The garbled entry is always a smaller linecount, this accounts for roughly 1% of my logs from the script. Is there a way to tell Splunk in the props file to throw away the entry if it's less than 23 lines long? Thanks!
Not if you monitor the log file with a [monitor]
and the nullQueue filtering will only work on a line per line basis.
If you were using a scripted input, then you could add some logic when you generate the logs to drop the invalid ones.
Not if you monitor the log file with a [monitor]
and the nullQueue filtering will only work on a line per line basis.
If you were using a scripted input, then you could add some logic when you generate the logs to drop the invalid ones.
thanks for your help, i've adjusted my script, oh well.
yes, something like if result count < 23 don't write anything (to file or to script output)