Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Apply line breaking and route fschange fullEvent to a different index

responsys_cm
Builder
‎11-09-2012 05:30 PM

When the fschange input indexes the full event, I would like to change the sourcetype, apply line breaking rules, and route the event to a different index. I found an example once, but it doesn't seem to be working...

My understanding was that the proper approach was to use props.conf to match on the source, set the sourcetype, apply the line breaking rules to the new sourcetype, and use transforms.conf to route the event to a different index.

Something like the following:

props.conf

[source::/etc*]

sourcetype = config_file

CHECK_METHOD = modtime

[config_file]

LINE_BREAKER = ^()$

TRANSFORMS-configs = config_file_routing

TRUNCATE = 1000000

SHOULD_LINEMERGE = true

DATETIME_CONFIG = CURRENT

CHECK_METHOD = modtime

KV_MODE = none

pulldown_type = true

SEGMENTATION-all = whitespace-only

SEGMENTATION-inner = whitespace-only

SEGMENTATION-outer = whitespace-only

SEGMENTATION-standard = whitespace-only

LEARN_MODEL = false

transforms.conf

[config_file_routing]

REGEX = .

DEST_KEY = MetaData:Index

FORMAT = configs

WRITE_META = true

Splunk will see the change event in /etc and index the file. Most of the time, only the first line of the file is captured and the sourcetype ends in something-too-small. The full event shows up in the same index as the fschange event.

What am I doing wrong here?

Thx.

C

Tags (1)
Reply

Flynt
Splunk Employee
Splunk Employee
‎11-16-2012 03:42 PM

What happens if you use the same format currently used in the *Nix_TA for your props.conf?

[source::(....(config|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
sourcetype = config_file

Where the extensions and sourcetype are pertinent to your own log files. This should allow you to reference the assigned sourcetype in the very same props.conf for your linebreaking and routing.

Reply

Masa
Splunk Employee
Splunk Employee
‎11-16-2012 05:33 PM

A related info. can be found here

http://wiki.splunk.com/Deploy:HowToSetupFschange

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...