Solved: How to split my input file into multiple events?

lakromani · ‎02-04-2017

Hi

My input file /tmp/log.txt looks like this.

192.168.22.5 93.x.x.x 456 2
192.168.22.10 183.x.x.x 63 1
src_ip dest_ip byte packet

When I add this file as an input file in Splunk, I get all data as one large event.
I would like these events top be split to separate lines.

So in props.conf i added:

[source::///tmp/log.txt]
SHOULD_LINEMERGE = false

But that did not help.
Not sure If I need to have **/** or **///** before file name, but nothing splits the line.

gcusello · ‎02-04-2017

Hi lakromani,
in your props.conf use

[monitor:///tmp/log.txt]
SHOULD_LINEMERGE = false
index = your_index
sourcetype = your_sourcetype

Bye.
Giuseppe

lakromani · ‎02-04-2017

I did find the [monitor:///tmp/log.txt] in input.conf under my app, so tried to add it there, but lines are still in one event.

[monitor:///tmp/log.txt]
SHOULD_LINEMERGE = false
disabled = false
sourcetype = test

Also restated splunk

gcusello · ‎02-04-2017

sorry but I was still sleeping 😉
you have to put SHOULD_LINEMERGE = false in your indexer's props.conf not in inputs.conf.

inputs.conf

[monitor:///tmp/log.txt]
disabled = false
sourcetype = test

props.conf

[test]
SHOULD_LINEMERGE = false

remember that if you receive logs from forwarders, you have to put inputs.conf in your forwarders and props.conf in your indexer.
Bye.
Giuseppe

lakromani · ‎02-04-2017

Now it worked perfectly. Thanks

How to split my input file into multiple events?