https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245821#M47523 <P>Hi,</P> <P>All great answers but I have splunk cloud and therefore no access to props.conf.</P> <P>I did try this but..... now I get no events <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>[root@pds2 bin]# ./splunk add monitor /home/icontrol/ucontrol/logs/gatewaySync.log -index pds2 -sourcetype _json </CODE></PRE> <P>Any way to do this just by using inputs.conf???</P> Thu, 25 Aug 2016 15:40:28 GMT dbcase 2016-08-25T15:40:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245818#M47520 <P>Hi,</P> <P>I have the below log data:</P> <PRE><CODE>16:37:56.875 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG splunk - {'externalRefId':'exr654321','message':'input: {"wifiNetwork":{"ssidName":"YOCTO_2.1S9","securityPassphrase":"xxxxxxx"}}'} 16:37:56.883 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG splunk - {'externalRefId':'exr654321','message':'Calling <A href="https://csp-stg.codebig2.net/selfhelp/account/exr654321/services/home/wifiNetwork'}" target="test_blank">https://csp-stg.codebig2.net/selfhelp/account/exr654321/services/home/wifiNetwork'}</A> 16:37:57.296 [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG splunk - {'externalRefId':'exr654321','message':'RMA service return 202','serverResponseTimeMs':'413'} </CODE></PRE> <P>and whenever it is imported into Splunk using the Universal Forwarder, it treats it as one event (see image)</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1765i0B4EA0493782C10B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How can I get Splunk to separate each line?</P> Wed, 24 Aug 2016 21:55:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245818#M47520 dbcase 2016-08-24T21:55:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245819#M47521 <P>Try adding this to your <CODE>props.conf</CODE> on the indexer and restart splunk</P> <PRE><CODE>[sourcetype_stanza_name] SHOULD_LINEMERGE=true TIME_FORMAT=%H:%M:%S.%3N </CODE></PRE> Wed, 24 Aug 2016 22:25:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245819#M47521 sundareshr 2016-08-24T22:25:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245820#M47522 <P>It looks like you are relying on Splunk to detect your events, given the sourcetype name of gatewaySync-too_small. I recommend you are explicit in defining your sourcetype on the receiving indexer(s) by creating a props.conf file and specifying the settings you want to apply.</P> <P>Try this: </P> <PRE><CODE>[yoursourcetypename] BREAK_ONLY_BEFORE=^\d+:\d+:d+\.\d+ SHOULD_LINEMERGE=false TIME_FORMAT=%H:%M:%S.%3N </CODE></PRE> <P>Then set <STRONG>sourcetype=yoursourcetypename</STRONG> in inputs.conf on your forwarder.</P> <P><A href="http://www.slideshare.net/Splunk/data-onboarding-61048253">This presentation</A> may be helpful, if you are new to Splunk; relevant stuff starting on slide 23.</P> Wed, 24 Aug 2016 23:45:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245820#M47522 s2_splunk 2016-08-24T23:45:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245821#M47523 <P>Hi,</P> <P>All great answers but I have splunk cloud and therefore no access to props.conf.</P> <P>I did try this but..... now I get no events <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>[root@pds2 bin]# ./splunk add monitor /home/icontrol/ucontrol/logs/gatewaySync.log -index pds2 -sourcetype _json </CODE></PRE> <P>Any way to do this just by using inputs.conf???</P> Thu, 25 Aug 2016 15:40:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245821#M47523 dbcase 2016-08-25T15:40:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245822#M47524 <P><A href="https://answers.splunk.com/answers/149597/im-struggling-with-how-i-should-be-doing-inputs-and-also-props-transforms-etc-stuff-within-splunk-cloud.html">This answers post</A> should give you a pretty good overview of how to work with SplunkCloud for both search-time as well as index-time settings. </P> Tue, 30 Aug 2016 23:50:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-break-my-sample-log-data-into/m-p/245822#M47524 s2_splunk 2016-08-30T23:50:08Z