Solved: splunk not parsing txt file from forwarder correct...

bcusick · ‎07-10-2014

Hi,

One of my forwarders is monitoring a directory where timestamped files populate every five minutes. The text output in the file includes a few-line header from the script along with all the results. The results are in the format "user ~ message"

For some reason, splunk is reading the ENTIRE file (source) as one log event. This is what's in my inputs file:

[monitor://D:\badPwdCount\logs\HIGH*.txt]

sourcetype = OVD_PW

disabled = false

SHOULD_LINEMERGE= false

crcSalt =

SOURCE is in between <> for crcSALT but it won't show up in comments. The issue is that Splunk is either picking up the entire file as an event, or a few events at a time as 1 event. Is a separate timestamp/unique identifier required for each line?

bcusick · ‎08-04-2014

I added a field to the log records for "line number" which is basically "log record" and this worked like a charm. 🙂

View solution in original post

bcusick · ‎08-04-2014

I added a field to the log records for "line number" which is basically "log record" and this worked like a charm. 🙂

ofrachon · ‎07-11-2014

You should tell Splunk how an event looks like in order to split the events correctly.

Could you post a sample of your data ?

lguinn2 · ‎07-10-2014

SHOULD_LINEMERGE= false does not go in inputs.conf - it goes in props.conf like so

[OVD_PW]
SHOULD_LINEMERGE= false

I think that is the problem here.

martin_mueller · ‎07-10-2014

What settings are you using for that sourcetype in props.conf on the indexer(s)?
Additionally, do post some sample data.

splunk not parsing txt file from forwarder correctly

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor