https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454041#M96455 <P>the client machine has an universal forwarded installed, and the inputs.conf has the following</P> <P>[monitor://X:\Logs\Website]<BR /> disabled = false<BR /> index = sandbox_webservers_logs_errors<BR /> whitelist = errors<BR /> sourcetype = ErrorLog_json</P> <P>the index database shows 177 events which is correct then when i go to the search bar and i type the following it only give 1 line</P> <P><IMG src="https://community.splunk.com/storage/temp/268593-2-5-2019-5-15-34-pm.png" alt="alt text" /></P> <P><STRONG>index="sandbox_webservers_logs_errors" sourcetype="ErrorLog_json"</STRONG></P> Tue, 29 Sep 2020 23:10:00 GMT abilis 2020-09-29T23:10:00Z https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454039#M96453 <P>HI,</P> <P>does anyone know why when i use data preview or a manually upload the file and apply a custom json sourcetype everything seems to be fine and splunk is recognizing an event per line, but when i monitor a file from a remote server i can see in the index the exact number of event that i have in the remote file but the search only show 1 event </P> <P><IMG src="https://community.splunk.com/storage/temp/268592-2-5-2019-4-32-39-pm.png" alt="alt text" /></P> <P>in the remote inputs.conf file i have specified the name of the sourcetype i want to use</P> <P>[monitor://X:\Logs\Website]<BR /> disabled = false<BR /> index = sandbox_webservers_logs_errors<BR /> whitelist = errors<BR /><BR /> sourcetype = ErrorLog_json</P> <P>thanks for your help...</P> Tue, 29 Sep 2020 23:09:57 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454039#M96453 abilis 2020-09-29T23:09:57Z https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454040#M96454 <P>If your data is going through a heavy forwarder before it gets to your indexer, then you will need to put your <CODE>[ErrorLog_json]</CODE> sourcetype stanza on that heavy forwarder.</P> Tue, 05 Feb 2019 21:41:17 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454040#M96454 chrisyounger 2019-02-05T21:41:17Z https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454041#M96455 <P>the client machine has an universal forwarded installed, and the inputs.conf has the following</P> <P>[monitor://X:\Logs\Website]<BR /> disabled = false<BR /> index = sandbox_webservers_logs_errors<BR /> whitelist = errors<BR /> sourcetype = ErrorLog_json</P> <P>the index database shows 177 events which is correct then when i go to the search bar and i type the following it only give 1 line</P> <P><IMG src="https://community.splunk.com/storage/temp/268593-2-5-2019-5-15-34-pm.png" alt="alt text" /></P> <P><STRONG>index="sandbox_webservers_logs_errors" sourcetype="ErrorLog_json"</STRONG></P> Tue, 29 Sep 2020 23:10:00 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-different-output-in-the-data-preview-and-monitored-files/m-p/454041#M96455 abilis 2020-09-29T23:10:00Z