My custom script writes log in /opt/splunk/var/log/splunk/script.log.
I want the log to be indexed in _internal but have to define a customized sourcetype for the log to write in a proper linebreak. Please let me know how to define sourcetype for the _internal data.
In your inputs.conf file, add:
[monitor:///opt/splunk/var/log/splunk/script.log]
sourcetype = foo
index = _internal
In your props,conf file, add the following. Adjust the values to match your data.
[foo]
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
SHOULD_LINEMERGE = false
In your inputs.conf file, add:
[monitor:///opt/splunk/var/log/splunk/script.log]
sourcetype = foo
index = _internal
In your props,conf file, add the following. Adjust the values to match your data.
[foo]
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
SHOULD_LINEMERGE = false
Thanks it works!!!