I have two Linux VMs set up, one with a Universal Forwarder and one with an Indexer. I have a script that generates dummy data (on the forwarder) that needs a custom sourcetype set up in order to parse the events correctly.
On the UF props.conf is currently empty, and inputs.conf contains:
[monitor:///home/splunk/data/data1*.soap]
_TCP_ROUTING = SOAP
disabled = false
sourcetype = soaptype
On the Indexer, props.conf contains:
[soaptype]
BREAK_ONLY_BEFORE =
As of right now my events aren't making it into the indexer at all. If I remove the sourcetype from inputs.conf and props.conf data appears, but it is splitting the events incorrectly.
Any suggestions? Many thanks!
↧