Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Index Line Breaks
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm getting input from a log file the contents of which are a long listing a directory containing .rpm files. When I search on the source or sourcetype I get a singe event for every line in the log file. When I search on the index I directed the input to go to, it lumps entries together:
-rw------- 1 root root 1.2M Sep 3 13:17 cyrus-sasl-2.1.22-7.el5_8.1.x86_64.rpm
-rw------- 1 root root 127K Sep 3 13:15 cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm
Is one event instead of two.
props.conf looks like this:
[sourcetype::RHEL_mon_log]
MUST_BREAK_AFTER = <\Q.rpm\E>
SHOULD_LINEMERGE=true
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Via Ayn:
Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Via Ayn:
Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you have have helped me solve the problem! I believe the sourcetype I had in my props.conf was incorrect. It needed to be [rhel_update_log] and not [RHEL_mon_log] Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, and the other search, for source/sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search I'm using is "index=rhel_update_mon". I'm relatively new to splunk so I'm trying to do the KISS thing and move on once I have a good understanding of the basics.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see that, because there's no reason why it would act like that. Could you please post more details about your searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know, I had a co-worker of mine who's more knowledgeable than I take a look and he was confused as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't really get it - you're directing these logs to a particular index, and you get different results if you do "index=theindex" than if you do "sourcetype=thesourcetype"?? That sounds very weird to me...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
