Getting Data In

How can I define customize sourcetype that I write logs in _internal?

Explorer

My custom script writes log in /opt/splunk/var/log/splunk/script.log.

I want the log to be indexed in _internal but have to define a customized sourcetype for the log to write in a proper linebreak. Please let me know how to define sourcetype for the _internal data.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

In your inputs.conf file, add:

[monitor:///opt/splunk/var/log/splunk/script.log]
sourcetype = foo
index = _internal

In your props,conf file, add the following. Adjust the values to match your data.

[foo]
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
SHOULD_LINEMERGE = false
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

In your inputs.conf file, add:

[monitor:///opt/splunk/var/log/splunk/script.log]
sourcetype = foo
index = _internal

In your props,conf file, add the following. Adjust the values to match your data.

[foo]
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
SHOULD_LINEMERGE = false
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Explorer

Thanks it works!!!

0 Karma