All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Website input: How to break down events properly in props.conf configuration?

ninisimonishvil
Path Finder
‎02-12-2018 05:34 AM

I'm extracting info from a website. However events were not breaking down properly, so I made some changes in props.conf file
Now it does what I expected it to do however in the different sourcetype (stash_web_input)

her is my props.conf file. 

[source::...web_input_modular_input.log]
sourcetype=web_input_modular_input

[source::...python_modular_input.log]
sourcetype=python_modular_input

[source::...web_input_controller.log]
sourcetype=web_input_controller


[stash_web_input]
TRUNCATE = 0
# only look for ***SPLUNK*** on the first line
HEADER_MODE = firstline
# we can summary index past data, but rarely future data
MAX_DAYS_HENCE      = 2
MAX_DAYS_AGO        = 10000
# 5 years difference between two events
MAX_DIFF_SECS_AGO   = 155520000
MAX_DIFF_SECS_HENCE = 155520000
MAX_TIMESTAMP_LOOKAHEAD = 64
LEARN_MODEL = false
# break .stash_new custom format into events
SHOULD_LINEMERGE       = false
BREAK_ONLY_BEFORE_DATE = false
LINE_BREAKER           = (\r?\n==##~~##~~  1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n)

TRANSFORMS-0sourcetype = sourcetype_for_web_input_stash
TRANSFORMS-1sinkhole_web_input_header = sinkhole_web_input_header

I'm afraid to make wrong changes. Can anyone suggest what I shall configure to get the results (line breaking) for another source type ( tenders)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2018 06:00 AM

Without seeing some sample data, it's impossible to say what changes you should make. However, if the settings for stash_web_input work for you, why not copy them to tenders?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ninisimonishvil
Path Finder
‎02-12-2018 06:04 AM

when I use the same configuration indicating [tenders] it does not work.
I was thinking maybe I need to make changes in transforms and inputs file too?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2018 06:32 AM

You should not need to change the files, but it's difficult to say with certainty without seeing them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...