Problems with File Import and props.conf

tpaulsen · ‎08-19-2011

Hello,

we use Splunk 4.1.7 and we would like to import once every night a file with the following content:

19702800;  2;00;  5377;     0; 0; 0; 0;002/00;     5;     1158;     0; 8;001401;       22727;          11;      272042 
 19706400;  2;00;  2924;     0; 0; 0; 0;002/00;     4;     1158;     0; 8;001401;       12123;          12;      425960 
 19710000;  2;00;  1163;     0; 0; 0; 0;002/00;     1;     1158;     0; 8;001401;        4953;          12;      487065

The file is about 3MB big.

We want each line to be indexed in Splunk as a single event.
For that purpose i wrote the following entry in our props.conf:

[mysourcetypename]
KV_MODE = none
MAX_EVENTS = 1
SHOULD_LINEMERGE = false

[source::.../var/MYFILEWITHDATA.TXT]
sourcetype = mysourcetypename

Despite this props.conf the first 258 lines of the file will always get imported as a big multiline event, before with line 259 Splunk starts to import each line as single events.
I can´t find any problems within the datafile, so what is causing this behaviour and how can we get Splunk to break each line into a single event?

Thank you in advance,

with kind regards, Thomas Paulsen

tpaulsen · ‎08-22-2011

My inputs.conf looks like this:

[monitor:///var/MYFILEWITHDATA.TXT]
disabled = false
host = splunk-a
index = idx_mystatistik
crcSalt = <SOURCE>
sourcetype = mysourcetypename

If i don´t have the crcSalt stanza and the props.conf defintion, then everything gets imported as one single big chunky multilineevent.

lguinn2 · ‎08-21-2011

What happens if you put the 'sourcetype=mysourcetypename' in your inputs.conf under the appropriate monitor stanzas?

What happens if you disable the '[mysourcetype]' stanza?

Problems with File Import and props.conf

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms