Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Break reports

derekclarke
New Member
‎01-10-2012 06:05 AM

I am importing logfiles into Splunk from a file. Each log entry starts with the string "** Alert" and ends with a double paragraph mark. The log entries are multi-line and of variable length, and a combination of various sources (windows alerts, firewall alerts etc).

When importing, I click 'A file or directory of files'; 'Consume any file on this Splunk server'; 'Upload and index a file'; then browse for the file and click save.

No matter what I try in props.conf, each log entry begins with the date (which is the SECOND line of the entry) and ends with the "** Alert" from the next extry. I am editing the [default] section. (I have copied props.conf from /etc/system/default into etc/system/local and this is the one I'm editing).

Can someone suggest a suitible setting in props.conf or is it that I have to do something to make Splunk use the default part of props.conf rather than making its own mind up about what sort of file it's importing?

TIA

Tags (1)
0 Karma
Reply

derekclarke
New Member
‎01-10-2012 06:34 AM

Damn - I didn't stop and restart the daemon. Idiot.

Ignore please - works fine now!

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...