We have a development environment (replica of prod) running Splunk 6.2.3 (upgraded from 6.1.5). I am testing monitoring of a file which has snmp traps received using net-snmp snmptrapd on *nix platform.
Earlier this week I upgraded Splunk from 6.1.5 to 6.3.0 on a **new** standalone instance of test environment to validate new feature set. And import of snmp trap file was one of them.
I am noticing that line breaking dosent seems to work on upgraded 6.3.0 release. Is anyone else facing this situation?
In 6.2.3 release, only the first event breaks incorrectly, all other events are breaking with or without TA.
In 6.3.0 release, the events are getting merged.
*__Note:__* I added the events using oneshot method.
To force line breaking on both releases I created props.conf with default values as below, still the same behavior:
[snmptrap:generic]
TIME_FORMAT = %Y-%m-%d %H:%M:%S
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
Sample Traps logged as below:
=========================
`2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->[traprec] TRAP, SNMP v1, community testing
.1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1035) Uptime: 22 days, 19:41:52.45
.1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1
2015-09-25 11:30:13 10.11.12.13(via UDP: [trapforwarder]:162->[traprec]) TRAP, SNMP v1, community testing
.1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1034) Uptime: 22 days, 19:41:53.07
.1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1
2015-09-25 11:30:14 10.11.12.13(via UDP: [trapforwarder]:162->[traprec]) TRAP, SNMP v1, community testing
.1.3.6.1.4.1.6827.10.17.7.1 Enterprise Specific Trap (1035) Uptime: 22 days, 19:41:53.71
.1.3.6.1.4.1.6827.10.17.3.1.1.1.1 = INTEGER: 1`
alt text
[1]: /storage/temp/62231-630.jpg
↧
