Solved: How can I index config files and text documents as...

Ron_Naken · ‎02-10-2011

When I configure Splunk to index a folder containing config files and text documents, it indexes each line of the files as separate events. I would like to index each file as its own event, allowing me to use diff and other commands to itemize changes to the files. Once Splunk is integrated with our ticketing system, it can then determine if changes were authorized, and it can then alert the appropriate team, accordingly.

Ron_Naken · ‎02-10-2011

Here's a props.conf trick that's used by the *NIX app to consume long outputs as a single entry. A stanza like the following will allow you to consume your entire config file or document as a single event. Be sure to manually set your sourcetype on the Data Input to whatever you use in your stanza (myconfigs in the example):

[myconfigs]
SHOULD_LINEMERGE=false
LINE_BREAKER=(?=!)
TRUNCATE=1000000

View solution in original post

Ron_Naken · ‎02-10-2011

Here's a props.conf trick that's used by the *NIX app to consume long outputs as a single entry. A stanza like the following will allow you to consume your entire config file or document as a single event. Be sure to manually set your sourcetype on the Data Input to whatever you use in your stanza (myconfigs in the example):

[myconfigs]
SHOULD_LINEMERGE=false
LINE_BREAKER=(?=!)
TRUNCATE=1000000

gkanapathy · ‎02-10-2011

corrected LINE_BREAKER regex from (?=) to (?!). Basically, you want a regex that will never match as the LINE_BREAKER, i.e., you never want to break a line.

How can I index config files and text documents as individual events?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms