Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to line merge only a specific extracted sourcetype and not apply it to the entire source input from UDP:514

sab057
Explorer
‎02-04-2015 05:45 PM

Hi there, I am in the situation where a number of devices are forwarding to splunk on UDP:514. I can easily enough create new sourcetypes for them, however with one of these sourcetypes, namely my DHCP sourcetype, I need to be able to linemerge just this sourcetype and not the others. I was previously able to accomplish this by applying this in props.conf:

[source::UDP:514]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = notification

But of course, that line-merges all the other sourcetypes in UDP:514 as well.

Is there a way to line merge only a specific extracted sourcetype and not blanket apply it to the entire source input?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:04 PM

First off, read this: http://www.georgestarcher.com/splunk-success-with-syslog/

You can specify props.conf settings on a per-sourcetype basis - I'd even say that's the most common approach.

[your_sourcetype]
SHOULD_LINEMERGE = True
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...