- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Index Line Breaks
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm getting input from a log file the contents of which are a long listing a directory containing .rpm files. When I search on the source or sourcetype I get a singe event for every line in the log file. When I search on the index I directed the input to go to, it lumps entries together:
-rw------- 1 root root 1.2M Sep 3 13:17 cyrus-sasl-2.1.22-7.el5_8.1.x86_64.rpm
-rw------- 1 root root 127K Sep 3 13:15 cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm
Is one event instead of two.
props.conf looks like this:
[sourcetype::RHEL_mon_log]
MUST_BREAK_AFTER = <\Q.rpm\E>
SHOULD_LINEMERGE=true
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Via Ayn:
Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Via Ayn:
Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you have have helped me solve the problem! I believe the sourcetype I had in my props.conf was incorrect. It needed to be [rhel_update_log] and not [RHEL_mon_log] Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, and the other search, for source/sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search I'm using is "index=rhel_update_mon". I'm relatively new to splunk so I'm trying to do the KISS thing and move on once I have a good understanding of the basics.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see that, because there's no reason why it would act like that. Could you please post more details about your searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know, I had a co-worker of mine who's more knowledgeable than I take a look and he was confused as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't really get it - you're directing these logs to a particular index, and you get different results if you do "index=theindex" than if you do "sourcetype=thesourcetype"?? That sounds very weird to me...
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
