Hello,
I'm getting input from a log file the contents of which are a long listing a directory containing .rpm files. When I search on the source or sourcetype I get a singe event for every line in the log file. When I search on the index I directed the input to go to, it lumps entries together:
-rw------- 1 root root 1.2M Sep 3 13:17 cyrus-sasl-2.1.22-7.el5_8.1.x86_64.rpm
-rw------- 1 root root 127K Sep 3 13:15 cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm
Is one event instead of two.
props.conf looks like this:
[sourcetype::RHEL_mon_log]
MUST_BREAK_AFTER = <\Q.rpm\E>
SHOULD_LINEMERGE=true
Any suggestions?
Via Ayn:
Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk.
Via Ayn:
Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk.
I think you have have helped me solve the problem! I believe the sourcetype I had in my props.conf was incorrect. It needed to be [rhel_update_log] and not [RHEL_mon_log] Thank you very much.
OK, and the other search, for source/sourcetype?
The search I'm using is "index=rhel_update_mon". I'm relatively new to splunk so I'm trying to do the KISS thing and move on once I have a good understanding of the basics.
I can see that, because there's no reason why it would act like that. Could you please post more details about your searches?
I know, I had a co-worker of mine who's more knowledgeable than I take a look and he was confused as well.
I don't really get it - you're directing these logs to a particular index, and you get different results if you do "index=theindex" than if you do "sourcetype=thesourcetype"?? That sounds very weird to me...