https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535062#M89749 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> yes, props.conf is pushed from CM to indexers</P><P>The reason that the sourcetype is being set based on host name is because the sourcetype includes the environment - e.g. dev1, dev2, prod1, prod2 etc&nbsp; The source file has the same path and name on all servers.&nbsp; The consumers of the logs do not necessarily know which hosts make up which environment.&nbsp; Therefore, by including the environment in the sourcetype, the users can find their data more easily.</P> Thu, 07 Jan 2021 15:29:55 GMT timrich66 2021-01-07T15:29:55Z https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535027#M89747 <P>Hello helpful people,</P><P>I'm afraid I have an issue that is related to many questions already asked, but I have not been able to come up with a solution.</P><P>I have a log file that creates large events - more than 257 lines at a time.</P><P>To test the file, I took an extract and uploaded it manually.&nbsp; Using this file, I was able to create props.conf entry as shown below and the events ingested correctly, without breaking.</P><P>When I applied this to our clustered environment, the breaking has returned.</P><P><U>Events -</U></P><DIV class="raw-event normal wrap ">++++ <SPAN class="t">information</SPAN> <SPAN class="t">2021-01-06</SPAN> <SPAN class="t">16:38:53</SPAN> <SPAN class="t">host</SPAN> <SPAN class="t">=</SPAN>&nbsp;xxxx.xxxx<SPAN class="t">.net</SPAN> <SPAN class="t">process</SPAN> <SPAN class="t">=</SPAN> <SPAN class="t">00002fa8</SPAN> <SPAN class="t">thread</SPAN> <SPAN class="t">=</SPAN> <SPAN class="t">73ffe380</SPAN> <SPAN class="t">context</SPAN> <SPAN class="t">=</SPAN> <SPAN class="t">Server::calculate</SPAN>(), <SPAN class="t">module</SPAN> <SPAN class="t">Request</SPAN> <SPAN class="t">failed</SPAN> <SPAN class="t">with</SPAN> <SPAN class="t">error</SPAN>(<SPAN class="t">s</SPAN>)<SPAN class="t">:</SPAN> &lt;?<SPAN class="t">xml</SPAN> <SPAN class="t">version=</SPAN>'<SPAN class="t">1.0</SPAN>'?&gt;</DIV><P>&nbsp;Show all 257 lines</P><DIV class="raw-event normal wrap ">[<SPAN class="t">031004</SPAN>] <SPAN class="t">Variable</SPAN> &nbsp;<SPAN class="t">has</SPAN> <SPAN class="t">no</SPAN> <SPAN class="t">value.</SPAN> [<SPAN class="t">035006</SPAN>] <SPAN class="t">Cannot</SPAN> <SPAN class="t">have</SPAN> <SPAN class="t">child</SPAN> &amp;<SPAN class="t">lt</SPAN>;xxxxx[<SPAN class="t">E.3</SPAN>] (<SPAN class="t">B6I2</SPAN>)&amp;<SPAN class="t">gt</SPAN>; (xxx) <SPAN class="t">on</SPAN> <SPAN class="t">link</SPAN>&nbsp;xxxxxxxxxxxxxxxxxxx&nbsp;&nbsp;(<SPAN class="t">B6I1</SPAN>)&amp;<SPAN class="t">gt</SPAN>; &lt;<SPAN class="t">/clc:Error</SPAN>&gt; &lt;<SPAN class="t">/xxxx__xxxxx_xxxx_xxx_f123_2&gt;</SPAN></DIV><P>&nbsp;Show all 257 lines</P><P><U>props.conf</U></P><P>[source::///xxxx/Log/xxxxServer.log]<BR />SHOULD_LINEMERGE=true<BR />MAX_EVENTS=10000<BR />TIME_PREFIX=\+\+\+\+ \w+</P><P>The reason I am using source and not sourcetype is because this source file is common to a number of environments and I am already changing sourcetype using props and transforms to determine the sourcetype per servername.</P><P>Thanks in advance for help - much appreciated.</P> Thu, 07 Jan 2021 09:22:08 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535027#M89747 timrich66 2021-01-07T09:22:08Z https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535049#M89748 <P>How did you apply the props.conf to your cluster?&nbsp; They should be installed on the indexers (pushed from the CM).</P><P>IMO, one should not be changing sourcetypes based on the server name.&nbsp; Source types refer to a <STRONG>kind</STRONG> of data.&nbsp; Kinds do not change because the server name changed.&nbsp; If you need to distinguish originating servers then use the <FONT face="courier new,courier">host</FONT> field.</P> Thu, 07 Jan 2021 14:06:14 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535049#M89748 richgalloway 2021-01-07T14:06:14Z https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535062#M89749 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> yes, props.conf is pushed from CM to indexers</P><P>The reason that the sourcetype is being set based on host name is because the sourcetype includes the environment - e.g. dev1, dev2, prod1, prod2 etc&nbsp; The source file has the same path and name on all servers.&nbsp; The consumers of the logs do not necessarily know which hosts make up which environment.&nbsp; Therefore, by including the environment in the sourcetype, the users can find their data more easily.</P> Thu, 07 Jan 2021 15:29:55 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/535062#M89749 timrich66 2021-01-07T15:29:55Z https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/536011#M89874 <P>Hello All,</P><P>FYI - I have found the issue.&nbsp; Deliberate mistake?&nbsp; Maybe not, but it should have been obvious..</P><P>Original props.conf -&nbsp;</P><P><SPAN>[source::///xxxx/Log/xxxxServer.log]</SPAN><BR /><SPAN>SHOULD_LINEMERGE=true</SPAN><BR /><SPAN>MAX_EVENTS=10000</SPAN><BR /><SPAN>TIME_PREFIX=\+\+\+\+ \w+</SPAN></P><P><SPAN>Working props.conf</SPAN></P><P><SPAN>[source::///xxxx/Log/xxxxServer.log]<BR />SHOULD_LINEMERGE = true<BR />MAX_EVENTS = 10000<BR />TIME_PREFIX = \+\+\+\+ \w+</SPAN></P><P><SPAN>Yes, it was pesky spaces <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Watch out for them!&nbsp; All now working as planned.</SPAN></P> Fri, 15 Jan 2021 14:35:39 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Merge-difficulties/m-p/536011#M89874 timrich66 2021-01-15T14:35:39Z