Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Apply line breaking and route fschange fullEvent to a different index

responsys_cm
Builder
‎11-09-2012 05:30 PM

When the fschange input indexes the full event, I would like to change the sourcetype, apply line breaking rules, and route the event to a different index. I found an example once, but it doesn't seem to be working...

My understanding was that the proper approach was to use props.conf to match on the source, set the sourcetype, apply the line breaking rules to the new sourcetype, and use transforms.conf to route the event to a different index.

Something like the following:

props.conf

[source::/etc*]

sourcetype = config_file

CHECK_METHOD = modtime

[config_file]

LINE_BREAKER = ^()$

TRANSFORMS-configs = config_file_routing

TRUNCATE = 1000000

SHOULD_LINEMERGE = true

DATETIME_CONFIG = CURRENT

CHECK_METHOD = modtime

KV_MODE = none

pulldown_type = true

SEGMENTATION-all = whitespace-only

SEGMENTATION-inner = whitespace-only

SEGMENTATION-outer = whitespace-only

SEGMENTATION-standard = whitespace-only

LEARN_MODEL = false

transforms.conf

[config_file_routing]

REGEX = .

DEST_KEY = MetaData:Index

FORMAT = configs

WRITE_META = true

Splunk will see the change event in /etc and index the file. Most of the time, only the first line of the file is captured and the sourcetype ends in something-too-small. The full event shows up in the same index as the fschange event.

What am I doing wrong here?

Thx.

C

Tags (1)
Reply

Flynt
Splunk Employee
Splunk Employee
‎11-16-2012 03:42 PM

What happens if you use the same format currently used in the *Nix_TA for your props.conf?

[source::(....(config|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
sourcetype = config_file

Where the extensions and sourcetype are pertinent to your own log files. This should allow you to reference the assigned sourcetype in the very same props.conf for your linebreaking and routing.

Reply

Masa
Splunk Employee
Splunk Employee
‎11-16-2012 05:33 PM

A related info. can be found here

http://wiki.splunk.com/Deploy:HowToSetupFschange

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...