So we are using the aws add on to retrieve elb logs from a s3 bucket. The logs are simply 1 event per a line. But splunk is having trouble indexing them. So the events look something like this:
Svl ES256-SHA TLSv1 --- "-" 18 HTTP/1.1" "WidgetSystem/6.1.3" AES256-SHA TLSv1
I tried to create a sourcetype to just take things as one line, but when I change sourcetype = aws:s3 to whatever I call my sourcetypes, all the logs just stop working until I change it back. Is there a way to modify the aws:s3 sourcetype to take items as one event per log. Or at least create a new sourcetype I can modify that will keep s3 logs flowing.
you should just be able to set the sourcetype that the data is indexed as, then create props.conf and transforms.conf entries as you like for that sourcetype.
Depending on what you mean by "the logs just stop working"...
So I tried the props.conf as that is normally how I add sourcetypes. But what I mean by they stop working is that nothing gets indexed. You can see them coming in every minute until I restart the forwarders then it just stops. No new events, even when searching just by sourcetype. So I have a feeling your first bullet point is what is happening. But I would be pretty impressed if somehow my amazon ELBs started sending surrealist films.
I have the same problem. Overall configuration S3 input with AWS add-on is magic. Sometimes it works sometimes not. For sure once I change default sourcetype for S3 input from aws:s3 to cisco:umbrella:s3 (my name I chose) the input stops working. Nothing gets indexed.
Having sourcetype named aws:s3 does not make sense. It's not sourcetype, it's basically a source.