topic Re: Getting my priority's straight in Getting Data In

Getting my priority's straight

cramasta — Thu, 16 May 2013 14:36:54 GMT

I have a question about how priority's work in a single props.conf file. If i have the two stanzas below and I index a file localted at /opt/system1/apps/logs/myfile.log what is the complete stanza that is used for processing the data. I am running 4.3.5

[source::/opt/*/apps/logs/*.log] sourcetype=sourcetype1 TIME_PREFIX=^ TIME_FORMAT=%F %H:%M:%S,%3N LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2}) priority = 1

[source::/opt/system1/apps/logs/myfile.log] sourcetype=sourcetype2 DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false priority = 2 MAX_EVENTS = 1

Because the source of the file matches both stanzas does Splunk merge the two stanzas together and any duplicate settings will be set to the stanza with the highest priority?

Would the final settings that get applied be

sourcetype=sourcetype2 DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false MAX_EVENTS = 1 TIME_PREFIX=^ TIME_FORMAT=%F %H:%M:%S,%3N LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2})

Re: Getting my priority's straight

bmacias84 — Thu, 16 May 2013 16:39:50 GMT

Last stanza applied wins.

Re: Getting my priority's straight

wbfoxii — Thu, 16 May 2013 18:16:04 GMT

Couldn't you run btool

bin/splunk btool props list | less

And list out what the composite props.conf file is?

Re: Getting my priority's straight

cramasta — Thu, 16 May 2013 18:57:33 GMT

Yes I have done that and btool is showing that merging the stanzas together is NOT the case, BUT my logs are not line breaking correctly and the only thing that would have made sense is if they are being merged together so i figured I would ask.

Re: Getting my priority's straight

bmacias84 — Thu, 16 May 2013 21:27:10 GMT

I am not sure how you have your inputs.conf configured, but I seems you should be doing your sourcetype separation there. I've included a sample of an inputs.conf and props.conf I would use for your scenario.



#inputs.conf

[monitor:///opt/*/apps/logs/*.log]

blacklist=/opt/system1/apps/logs/myfile.log

sourcetype=sourcetype1




[monitor:///opt/system1/apps/logs/myfile.log]

sourcetype=sourcetype2



#props.conf

[sourcetype1]

TIME_PREFIX=^

TIME_FORMAT=%F %H:%M:%S,%3N

LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2})

priority = 1




[sourcetype2]

DATETIME_CONFIG=CURRENT

SHOULD_LINEMERGE=false

priority = 2

MAX_EVENTS = 1

Hope this helps or gives you some ideas. Dont forget to vote and accept answser that help.

Cheers,

Re: Getting my priority's straight

cramasta — Mon, 28 Sep 2020 13:55:38 GMT

My configurations pretty much match what you have. the problem is that sourcetype2 is not following the max_events=1 rule (events are being made up of multiple lines instead of 1 line per event). If i add the time_prefix, time_format_and line_breaker setting to sourcetype2 stanza then my events will be made up of multiple lines, (this goes back to my reason for posting to see if the stanzas are getting merged together which would explain why my events are being made up of multiple lines.)