Getting Data In

Apply line breaking and route fschange fullEvent to a different index

responsys_cm
Builder

When the fschange input indexes the full event, I would like to change the sourcetype, apply line breaking rules, and route the event to a different index. I found an example once, but it doesn't seem to be working...

My understanding was that the proper approach was to use props.conf to match on the source, set the sourcetype, apply the line breaking rules to the new sourcetype, and use transforms.conf to route the event to a different index.

Something like the following:

props.conf

[source::/etc*]

sourcetype = config_file

CHECK_METHOD = modtime

[config_file]

LINE_BREAKER = ^()$

TRANSFORMS-configs = config_file_routing

TRUNCATE = 1000000

SHOULD_LINEMERGE = true

DATETIME_CONFIG = CURRENT

CHECK_METHOD = modtime

KV_MODE = none

pulldown_type = true

SEGMENTATION-all = whitespace-only

SEGMENTATION-inner = whitespace-only

SEGMENTATION-outer = whitespace-only

SEGMENTATION-standard = whitespace-only

LEARN_MODEL = false

transforms.conf

[config_file_routing]

REGEX = .

DEST_KEY = MetaData:Index

FORMAT = configs

WRITE_META = true

Splunk will see the change event in /etc and index the file. Most of the time, only the first line of the file is captured and the sourcetype ends in something-too-small. The full event shows up in the same index as the fschange event.

What am I doing wrong here?

Thx.

C

Tags (1)

Flynt
Splunk Employee
Splunk Employee

What happens if you use the same format currently used in the *Nix_TA for your props.conf?

[source::(....(config|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))]
sourcetype = config_file

Where the extensions and sourcetype are pertinent to your own log files. This should allow you to reference the assigned sourcetype in the very same props.conf for your linebreaking and routing.

Masa
Splunk Employee
Splunk Employee

A related info. can be found here

http://wiki.splunk.com/Deploy:HowToSetupFschange

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...