All Apps and Add-ons

Website input: How to break down events properly in props.conf configuration?

ninisimonishvil
Path Finder

I'm extracting info from a website. However events were not breaking down properly, so I made some changes in props.conf file
Now it does what I expected it to do however in the different sourcetype (stash_web_input)

her is my props.conf file.

[source::...web_input_modular_input.log]
sourcetype=web_input_modular_input

[source::...python_modular_input.log]
sourcetype=python_modular_input

[source::...web_input_controller.log]
sourcetype=web_input_controller


[stash_web_input]
TRUNCATE = 0
# only look for ***SPLUNK*** on the first line
HEADER_MODE = firstline
# we can summary index past data, but rarely future data
MAX_DAYS_HENCE      = 2
MAX_DAYS_AGO        = 10000
# 5 years difference between two events
MAX_DIFF_SECS_AGO   = 155520000
MAX_DIFF_SECS_HENCE = 155520000
MAX_TIMESTAMP_LOOKAHEAD = 64
LEARN_MODEL = false
# break .stash_new custom format into events
SHOULD_LINEMERGE       = false
BREAK_ONLY_BEFORE_DATE = false
LINE_BREAKER           = (\r?\n==##~~##~~  1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n)

TRANSFORMS-0sourcetype = sourcetype_for_web_input_stash
TRANSFORMS-1sinkhole_web_input_header = sinkhole_web_input_header

I'm afraid to make wrong changes. Can anyone suggest what I shall configure to get the results (line breaking) for another source type ( tenders)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Without seeing some sample data, it's impossible to say what changes you should make. However, if the settings for stash_web_input work for you, why not copy them to tenders?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ninisimonishvil
Path Finder

when I use the same configuration indicating [tenders] it does not work.
I was thinking maybe I need to make changes in transforms and inputs file too?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You should not need to change the files, but it's difficult to say with certainty without seeing them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...