Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do line breaking configs in props.conf apply to files that are manually uploaded to Splunk?

jambajuice
Communicator
‎01-26-2011 09:20 PM

I have a very simple config for an input in props.conf:

[fortinet_config]
SHOULD_LINEMERGE = True

If I use the "Upload a local file" option to index a config file, Splunk always breaks it up into individual lines.

Are stanzas in props.conf applied to files that are uploaded through the GUI?

Thx.

Craig

Tags (1)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 08:18 AM

They do apply to uploaded files. Here's a props.conf trick that's used by the *NIX app to consume long outputs as a single entry. A stanza like the following will allow you to consume your entire config file as a single event. Be sure to manually set your sourcetype on the Data Input to whatever you use in your stanza (myconfigs in the example):

[myconfigs]
SHOULD_LINEMERGE=false
LINE_BREAKER=^()$
TRUNCATE=1000000
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-10-2011 03:29 PM

Yes, you should specify the sourcetype when uploading (unless your props.conf rules are based on source...but you have to be careful here, as the file path will be the path of the batch directory). Also, a less risky LINE_BREAKER would be (?!), which will never match. ^()$ will work in this context, but that regex will not always fail.

Reply

jrodman
Splunk Employee
Splunk Employee
‎01-27-2011 06:48 AM

They should apply, and if they do not (and have that sourcetype), that is a bug.

That configuration is not terribly extensive, so I'm uncertain what differences you are seeing. There could be a more complex case where the behavior relies on certain source:: based rules, which aren't matching for the upload behavior.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...