How to set SHOULD_LINEMERGE = false as default whe...

yunieyuna · ‎04-07-2019

Hi, I need to upload a bunch of logs into Splunk by using monitor directory function.
But the data will be merged together if the "SHOULD_LINEMERGE" set to "true". I already known how to set it when uploading one file, but not using "monitor.

Can any one please help me?

woodcock · ‎04-08-2019

Do not use the GUI for onboarding new data. Use the CLI and create an app with the settings that you need in the default folder.

harsmarvania57 · ‎04-08-2019

Hi,

In this case create new unique sourcetype and assign it to monitor stanza and on Indexer/Heavy Forwarder implement below config.

props.conf

[yourSourcetype]
SHOULD_LINEMERGE = false

yunieyuna · ‎04-08-2019

Hello Harsmarvania57,

Thank you so much for your answer!

Actually, I ran into another problem when I tried to create a new sourcetype.
I set SHOULD_LINEMERGE = false under the Advanced tab. However, every time I clicked Save button, the setting will automatically changed to "true". And the same situation happens again and again.

I added two screenshots as references.

Goal: ![alt text][https://ibb.co/0n5ngG3]
However: ![alt text][https://ibb.co/b1h5zjM]

harsmarvania57 · ‎04-09-2019

As @woodcock suggested, it will be good to use CLI instead of GUI. Most of the work I do on CLI instead of GUI.

pir8radio · ‎06-28-2021

Then please include instructions how to do that in windows splunk.

How to set SHOULD_LINEMERGE = false as default when using monitor to upload data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases