Archive

Splunk for Nagios events

New Member

Currently when splunk eats the serviceperf and hostperf data the events come in as multi-line events. When in the nagios web view selecting splunk for a host may return a multi-line event that contains other hosts that came in at the same time. Is this as it should be? Would I be creating more problems by splitting the events so there is one single nagios event per event in splunk?

Thanks in advance.

Tags (2)
0 Karma

Contributor

Your props.conf should already have the following entry to ensure that each event is indexed as a single line:

/opt/splunk/etc/apps/SplunkForNagios/default/props.conf

[nagioshostperf]
SHOULD_LINEMERGE = false

[nagiosserviceperf]
SHOULD_LINEMERGE = false

You could try restarting splunk, I often find that this can solve line breaking issues 🙂

All the best,

Luke 🙂

0 Karma