Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I define props.conf with respective source types?

sravankaripe
Communicator
‎10-28-2016 01:28 PM

i have text file with some data below. how can i define my props.conf file with respective sourcetypes?

file 1 of sourcetype=s1

Batch Counter   Cache Name  CacheSize   MemoryBytes MemoryMB    Avg Object Size
77  Item.1.BUSINESS_PARTNER 1836304.0   1836304.0   1.7512359619140625  1.0

props.conf

[s1]
TIME_FORMAT=
TIME_PREFIX=
MAX_TIMESTAMP_LOOKAHEAD=
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=
category=Custom
disabled=false
pulldown_type=true

file 2 of sourcetype=s2

Batch Counter   Report Time Service Cache Name  Tier    Total Puts  Total PutsMillis    Total Gets  Total Gets Millis   Total Hits  Total Hits Millis   Total Misses    Total Misses Millis Total Writes    Total Write Millis  Total Reads Total Read Millis   Total Failures  Total Queue Evictions   Cache Prunes    Cache Prunes Millis
77  Wed Oct 26 16:00:19 CDT 2016    ItemDistributedCache    Item.1.BUSINESS_PARTNER back    0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

props.conf

[s2]
TIME_FORMAT=
TIME_PREFIX=
MAX_TIMESTAMP_LOOKAHEAD=
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=
category=Custom
disabled=false
pulldown_type=true

file 3 of sourcetype=s3

Batch Counter   ReportTime  RefreshPolicy   RefreshTime RefreshExcessCount  RefreshCount    RefreshPredictionCount  RefreshTimeoutCount
77  Wed Oct 26 16:00:33 CDT 2016    refresh-ahead   Wed  Oct  26  16:00:33  CDT  2016   2351    186539  8104896     13591

props.conf

[s3]
TIME_FORMAT=
TIME_PREFIX=
MAX_TIMESTAMP_LOOKAHEAD=
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=
category=Custom
disabled=false
pulldown_type=true

file 4 of sourcetype=s4

Batch Counter   Report Time JVM Uptime  Node Id GC Name CollectionCount Delta Collection Count  CollectionTime  Delta Collection Time   Last GC Start Time  Last GC Duration Millis Heap Committed  Heap Init   Heap Max    Heap Used

77  Wed Oct 26 16:00:19 CDT 2016    51754933    1   Garbage collection optimized for deterministic pausetimes Old Collector 140 0.0 498984  0.0 41146021    1565.0  6442450944  4294967296  6442450944  3854384608

props.conf

[s4]
TIME_FORMAT=
TIME_PREFIX=
MAX_TIMESTAMP_LOOKAHEAD=
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=
category=Custom
disabled=false
pulldown_type=true
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-28-2016 02:23 PM

All your source appear to be tab separated values as such, you should be able to use tsv as the predefined sourcetype.

OR use these settings to create individual sourcetype for each file. All source will have the same settings

[ s1]
CHARSET=AUTO
FIELD_DELIMITER=tab
HEADER_FIELD_DELIMITER=tab
INDEXED_EXTRACTIONS=tsv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Tab-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-28-2016 02:23 PM

All your source appear to be tab separated values as such, you should be able to use tsv as the predefined sourcetype.

OR use these settings to create individual sourcetype for each file. All source will have the same settings

[ s1]
CHARSET=AUTO
FIELD_DELIMITER=tab
HEADER_FIELD_DELIMITER=tab
INDEXED_EXTRACTIONS=tsv
KV_MODE=none
SHOULD_LINEMERGE=false
category=Structured
description=Tab-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true
Reply
Solved! Jump to solution

sravankaripe
Communicator
‎10-28-2016 02:29 PM

Thanks sundareshr

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...