Hi beloved Splunkers,
I'm currently trying to set up a data connection between one of our servers and my Splunk deployment. Unfortunately, I encountered some problems when it comes to Splunk recognizing line-endings and -beginnings.
Let's take a closer look at my current problem.
I have a data file with events that look kinda like that:
<666> this, is, the, event, number, 1,<666> this, is, the, event, number, 2,<666> this, is, the, event, number, 3, but, it, is, slightly, longer, than, the, others,<666> this, is, the, event, number, 4,<666> splunk, fast, like, a, f-18, bro,<666> this, is, the, event, number, 6,
What you can see here is, that all those events have something in common.
Yeah, its the "*< 666 >*" part.
Splunk is flawless I give you that, but for some reason, it sometimes combines two single events into one.
So I was thinking that I need to configure a stanza in props.conf on the forwarder to tell splunk how to deceide when a new event starts.
I did write one, but failed.... maybe?!?
[source::/path/to/file/]
BREAK_ONLY_BEFORE = (\<\d+\>)
SHOULD_LINEMERGE = True
I would love to know if someone out there is brave enough to tell me the right solution.
Thank you for your help, bro/sis!
Regards,
pyro_wood
----------
Splunk> like a F-18, bro ♥
↧
How to configure proper line breaking in props.conf on the universal forwarder for my sample data?
↧