I've been fighting with what seems to be a simple configuration to input a nonstandard text format for 2 days now. The only configuration that I believe I need in the sourcetype stanza in props is a BREAK_ONLY_BEFORE. The configuration makes perfect sense but it simply isn't working. In fact, when I manually set the sourcetype the indexer finds no events at all. When left on automatic it finds events but they're not valid or malformed.
After a full day of poring over the answers here, I find this buried away where it took forever to find:
http://answers.splunk.com/questions/7191/log-file-not-breaking-correctly/7211#7211
And what do you know. There were a number of incorrect assumptions tucked away in the learned app files, including some entries in files other than props. Cleaning those out made everything work like the magic I was expecting.
Thanks meno!
After a full day of poring over the answers here, I find this buried away where it took forever to find:
http://answers.splunk.com/questions/7191/log-file-not-breaking-correctly/7211#7211
And what do you know. There were a number of incorrect assumptions tucked away in the learned app files, including some entries in files other than props. Cleaning those out made everything work like the magic I was expecting.
Thanks meno!