Getting Data In

How to configure file monitoring to make the full content of a file as one event?

hartfoml
Motivator

I have Login files in a folder that are overwritten each time a person logs in. I would like to read in the entire file with file change date as event date each time the file changes and have the entire file content be one event.

0 Karma

jkat54
SplunkTrust
SplunkTrust

The answer above is seriously close so I give dshpritz credit. I think the solution needs a little twist though:

 [login]
 SHOULD_LINEMERGE = true
 BREAK_ONLY_BEFORE = Machine:
 TRUNCATE = 9999999999
0 Karma

hartfoml
Motivator

@jkat54 @dshpritz, Thanks for the help

I tried both of these solutions and neither one is working.

There is a logon scripted running on the windows systems and the data collected over writes a file in a shared directory that splunk is monitoring. the splunk UF on the system sends the changed file contents to an intermediate forwarder where i have the props.conf file setting the index time behavior for this sourcetype. then the IF is sending the login events to three indexers using round robin routing. I am still getting one out of 6 event-logs are breaking in the middle of the log file to create two events for one file.

Where the "LINE_BREAKER" is executed seems to be random.

Thanks for helping

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you post an example of the data?

0 Karma

jkat54
SplunkTrust
SplunkTrust

before, was it one out of every six that didnt linebreak correctly, or is the behavior better now?

If the behavior is better with the props i suggested then we're at least moving in the right direction. Next I would make sure props are on all indexers and forwarders.

If the behavior is the same, then its back to the drawing board... I'd like to see the script that generates the data.

0 Karma

hartfoml
Motivator

without the props the files are read and each line in each file is an event.
With the props.conf most of the files are one event.

I was hoping to manage this at index time on the intermediate forwarder and not have to manage props.conf on the indexers and universal forwarder.

I will start with the indexers, as the UF does not seem like a likely place to put props.conf, and see if this helps

Thanks much for the suggestion @jkat45. I was hoping to avoid dispersed management of props.conf

0 Karma

hartfoml
Motivator

this file did not break

4/25/16
12:38:02.000 PM

Machine:mysystemname
User:myuser
Domain:local.com
SN:MJMBVCN
Asset:
OS:Microsoft Windows 7 Enterprise
SP:Service Pack 1
Chassis Type:3
CAE:Yes
DAR:No
MIP:No
KACE:Yes
Windows IP Configuration
Host Name . . . . . . . . . . . . : mysystemname
Primary Dns Suffix . . . . . . . : local,com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local.com

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : local.com
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 44-37-E6-93-F6-09
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::50d4:1efa:fb18:b8c%11(Preferred)
IPv4 Address. . . . . . . . . . . : n.n.n.n(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, April 20, 2016 4:58:43 AM
Lease Expires . . . . . . . . . . : Monday, April 25, 2016 4:58:45 PM
Default Gateway . . . . . . . . . : z.z.z.z
DHCP Server . . . . . . . . . . . : y.y.y.y
DHCPv6 IAID . . . . . . . . . . . : 272906214
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-A1-98-02-44-37-E6-93-F6-09
DNS Servers . . . . . . . . . . . : x.x.x.x

NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter 6TO4 Adapter:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

0 Karma

hartfoml
Motivator

this same system broke at line 12

4/25/16
12:35:00.000 PM

Machine:mysystemname
User:myuser
Domain:local.com
SN:MJMBVCN
Asset:
OS:Microsoft Windows 7 Enterprise
SP:Service Pack 1
Chassis Type:3
CAE:Yes
DAR:No
MIP:No
KACE:Yes


linebreak

Windows IP Configuration
Host Name . . . . . . . . . . . . : mysystemname
Primary Dns Suffix . . . . . . . : local.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local.com
v
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : local.com
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 44-37-E6-93-F6-09
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::50d4:1efa:fb18:b8c%11(Preferred)
IPv4 Address. . . . . . . . . . . : n.n.n.n(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, April 20, 2016 4:58:43 AM
Lease Expires . . . . . . . . . . : Monday, April 25, 2016 4:58:46 PM
Default Gateway . . . . . . . . . : z.z.z.z
DHCP Server . . . . . . . . . . . : y.y.y.y
DHCPv6 IAID . . . . . . . . . . . : 272906214
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-A1-98-02-44-37-E6-93-F6-09
DNS Servers . . . . . . . . . . . : x.x.x.x

NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter 6TO4 Adapter:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

0 Karma

dshpritz
SplunkTrust
SplunkTrust

You need to adjust the line breaking for the sourcetype or source. For example:

props.conf:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
TRUNCATE = 999999

One thing to keep in mind is that you could run into problem if the data source starts writing the file and then pauses, in which case you would need to adjust the the time_before_close in your inputs.conf.
hth

0 Karma

hartfoml
Motivator

Can anyone help with this.

I think it has to do with line breaking?

0 Karma

sundareshr
Legend

Have you tried

TRUNCATE = 0
BREAK_ONLY_BEFORE = "THISLINEDOESNTEXIST"

Not sure if this is the best answer, but worth a try.

0 Karma

hartfoml
Motivator

Thanks this helped

I am still getting some files that are breaking

My props.conf in the $SplunkHome/etc/system/local on the Intermediate Forwarder (IF) is like this

[login]
SHOULD_LINEMERGE = true
DATETIME_CONFIG = NONE
TRUNCATE = 0
BREAK_ONLY_BEFORE = "Machine:"

I am not getting historic files like I did when I started.

My process for testing is like this
1) Uninstall monitoring app on Universal Forwarder (UF) using deploy-server
2) delete index with old broken records
3) recreate new index
4) make changed to props.conf on IF and restart splunk
5) reinstall monitoring app on UF with DS
6) Check records in new index by doing "| stats count by source" to see if any one file was broken at index time

Thanks for the help @sundareshr

Can anyone else help with this problem?

0 Karma

dcharboneau_spl
Splunk Employee
Splunk Employee

If I am reading this correctly.... You made the changes, tried to reindex data you had indexed previously (historical) and these files did not index. Likely the Fishbucket thinks the files have been indexed before. See this post in answers:
https://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...