Hi,
One of my forwarders is monitoring a directory where timestamped files populate every five minutes. The text output in the file includes a few-line header from the script along with all the results. The results are in the format "user ~ message"
For some reason, splunk is reading the ENTIRE file (source) as one log event. This is what's in my inputs file:
[monitor://D:\badPwdCount\logs\HIGH*.txt]
sourcetype = OVD_PW
disabled = false
SHOULD_LINEMERGE= false
crcSalt =
SOURCE is in between <> for crcSALT but it won't show up in comments. The issue is that Splunk is either picking up the entire file as an event, or a few events at a time as 1 event. Is a separate timestamp/unique identifier required for each line?
I added a field to the log records for "line number" which is basically "log record" and this worked like a charm. 🙂
I added a field to the log records for "line number" which is basically "log record" and this worked like a charm. 🙂
You should tell Splunk how an event looks like in order to split the events correctly.
Could you post a sample of your data ?
SHOULD_LINEMERGE= false
does not go in inputs.conf
- it goes in props.conf
like so
[OVD_PW]
SHOULD_LINEMERGE= false
I think that is the problem here.
What settings are you using for that sourcetype in props.conf on the indexer(s)?
Additionally, do post some sample data.