Getting Data In

Is there a way to line merge only a specific extracted sourcetype and not apply it to the entire source input from UDP:514

sab057
Explorer

Hi there, I am in the situation where a number of devices are forwarding to splunk on UDP:514. I can easily enough create new sourcetypes for them, however with one of these sourcetypes, namely my DHCP sourcetype, I need to be able to linemerge just this sourcetype and not the others. I was previously able to accomplish this by applying this in props.conf:

[source::UDP:514]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = notification

But of course, that line-merges all the other sourcetypes in UDP:514 as well.

Is there a way to line merge only a specific extracted sourcetype and not blanket apply it to the entire source input?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

First off, read this: http://www.georgestarcher.com/splunk-success-with-syslog/

You can specify props.conf settings on a per-sourcetype basis - I'd even say that's the most common approach.

[your_sourcetype]
SHOULD_LINEMERGE = True
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...