Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to split my input file into multiple events?

lakromani
Builder
‎02-04-2017 12:13 AM

Hi

My input file /tmp/log.txt looks like this.

192.168.22.5 93.x.x.x 456 2
192.168.22.10 183.x.x.x 63 1
src_ip dest_ip byte packet

When I add this file as an input file in Splunk, I get all data as one large event.
I would like these events top be split to separate lines.

So in props.conf i added:

[source::///tmp/log.txt]
SHOULD_LINEMERGE = false

But that did not help.
Not sure If I need to have **/** or **///** before file name, but nothing splits the line.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-04-2017 12:19 AM

Hi lakromani,
in your props.conf use 

[monitor:///tmp/log.txt]
SHOULD_LINEMERGE = false
index = your_index
sourcetype = your_sourcetype

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-04-2017 12:19 AM

Hi lakromani,
in your props.conf use 

[monitor:///tmp/log.txt]
SHOULD_LINEMERGE = false
index = your_index
sourcetype = your_sourcetype

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎02-04-2017 12:46 AM

I did find the [monitor:///tmp/log.txt] in input.conf under my app, so tried to add it there, but lines are still in one event.

[monitor:///tmp/log.txt]
SHOULD_LINEMERGE = false
disabled = false
sourcetype = test

Also restated splunk

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-04-2017 12:50 AM

sorry but I was still sleeping 😉
you have to put SHOULD_LINEMERGE = false in your indexer's props.conf not in inputs.conf.

inputs.conf

[monitor:///tmp/log.txt]
disabled = false
sourcetype = test

props.conf

[test]
SHOULD_LINEMERGE = false

remember that if you receive logs from forwarders, you have to put inputs.conf in your forwarders and props.conf in your indexer.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎02-04-2017 03:12 AM

Now it worked perfectly. Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...