Hello,
I configured the UF to monitor a JSON file in a specific directory but its not forwarding it to the indexers
the output is working properly as there are files being sent to indexers
here is my input file
[monitor://C:\temp\*.json]
index=test1
sourcetype=test_styp
my props
[test_styp]
INDEXED_EXTRACTIONS =json
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N+%4N
TIME_PREFIX="observedTime":"
MAX_TIMESTAMP_LOOKAHEAD=28
the splunk logs is stating the following " Adding watch on path splunk [monitor://C:\temp\*] but nothis being ingested
i tried running this SPL search on my SH to check if something related to JSON extraction is but nothing returned
test_styp | rex "incoming=\"(?.+)\", transformed=" | spath = incoming
Could you please help ?
↧