Getting Data In

Configuration of props.conf and input.conf

edrivera3
Builder

Hi
I am interested to upload two distinct files form multiple directories. I have done this previously by using Splunk-web, but now I am trying to do it by modifying props.conf and input.conf. So I have two files that have two different extension. So I believe my input.conf goes like this

[monitor://C:/User/.../Data/...]
index = my_index1
sourcetype = my_sourcetype1
whitelist = .tir$
initCrcLength = 4000

[monitor://C:/User/.../Data/...]
index = my_index2
sourcetype = my_sourcetype2
whitelist = .JobEvent$
initCrcLength = 4000

Both sourcetype are custom. The events are very long. I am no sure if I'm starting the stanza correctly with the sourcetype. Please let me know I if this look right.

[my_sourcetype1]
SHOULD_LINEMERGER = true
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
category = Custom
MAX_EVENTS = 100000
BREAK_ONLY_BEFORE = Massabeeldiabloporviejoquepordiablo

[my_sourcetype2]
SHOULD_LINEMERGER = true
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
category = Custom
MAX_EVENTS = 100000
BREAK_ONLY_BEFORE = Massabeeldiabloporviejoquepordiablo

0 Karma
1 Solution

woodcock
Esteemed Legend

IMHO, this should work but you may still find events broken/terminated/truncated due to other limits; see here:
http://answers.splunk.com/answers/4162/size-limit-for-an-event.html

View solution in original post

0 Karma

woodcock
Esteemed Legend

IMHO, this should work but you may still find events broken/terminated/truncated due to other limits; see here:
http://answers.splunk.com/answers/4162/size-limit-for-an-event.html

0 Karma

edrivera3
Builder

For now I cannot do much about those long files. In the future my plan is to parse all those files and create new files with a different structure/format that would be easier to divide them in multiple events, but that's another project. Thanks for your response.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...