Getting Data In

Line breaks and the 'Add Data' process

_smp_
Builder

I'm a fairly inexperience Splunk admin, and I've used the Add Data feature a couple of times to test out new sourcetype properties. At the moment, I'm trying to develop a custom syslog sourcetype and apply it to a network input but I'm having a lot of difficulty with line breaking. The sample data I'm using was gathered by a packet capture, exported as raw data, and added to a text file. It seem to get it working with the sample data, but when I apply it to the actual input, I run into all sorts of issues.

This got me thinking...the syslog events in the input stream do not actually end with a CR/LF character. But every event my sample data that I'm ingesting is on a new line. Is this an inaccurate way to represent the sample data? Would it be a more accurate representation of the input stream if I concatenated these test events onto a single line in my sample text file and tried to line-break from there?

0 Karma

woodcock
Esteemed Legend

The "right" way to do this is to use the Stream app for Splunk to do the packet capture and you will be blown away. Is there some reason that you cannot do this?

0 Karma

_smp_
Builder

No, just inexperience. I am reading the documentation now.

0 Karma

woodcock
Esteemed Legend
0 Karma

_smp_
Builder

I have spent the last four hours trying to make sense of this app, but it is just way too far over my head at my current experience level. Hopefully someone will respond with an alternate approach.

0 Karma

woodcock
Esteemed Legend

You install the splunkstreamfwd.tgz app on your forwarder, set your ethernet adapter to promiscuous mode and you should have data coming in.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...