Hi,
I am having trouble with the use of ***SPLUNK*** sourcetype=xxx for batch input with sinkhole option.
My inputs.conf looks like this:
[batch:///opt/sinkhole]
move_policy = sinkhole
and, the input file is this:
***SPLUNK*** host="myhost" sourcetype="mytype" source="mydata:myname"
2013/05/03 09:54:47.144780 1234567890123456789 key1=1
2013/05/03 09:54:47.144783 1234567890123456789 key1=0
2013/05/03 09:54:47.345111 1234567890123456789 key1=0
What I am doing is simply move the file above into the sinkhole directory for batch indexing with metadata infomation specified after ***SPLUNK*** .
I am refering to the following doc, but still specified meatada infomation is not reflected when indexing.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Assignmetadatatoeventsdynamically
Is there any missing configuration or am I doing something wrong?
Any comment would be appreciated.
Thank you!
to force the header detection, add in props.conf
[source:://opt/sinkhole/.../*]
HEADER_MODE=always
see http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Propsconf
to force the header detection, add in props.conf
[source:://opt/sinkhole/.../*]
HEADER_MODE=always
see http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Propsconf
Thank you for your answer!
HEADER_MODE =
* Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.
* If "always", any line with ***SPLUNK*** can be used to rewrite index-time fields.
* If "firstline", only the first line can be used to rewrite index-time fields.
* If "none", the string ***SPLUNK*** is treated as normal data.
* If
* Defaults to