Re: How to upload and index a text file containing...

mmohiuddin · ‎03-04-2015

Hi

I would like to upload a text file containing more than 1500 lines without any line breaks. How do I do this in Splunk?

Here is my props.conf

[sourcetype]
MAX_EVENTS = 2000
TRUNCATE = 99999
SHOULD_LINEMERGE = TRUE
DATETIME_CONFIG = CURRENT

Even after making these changes, I am unable to get the data properly indexed in Splunk. I am getting line breaks. How do I properly get the events properly indexed to get the entire 1500 + lines as one event?

Please let me know.

Thanks

somesoni2 · ‎03-04-2015

Try this. (props.conf on Indexer/Heavy Forwarder)

[sourcetype]
BREAK_ONLY_BEFORE = ^JUNKCHAR
DATETIME_CONFIG = CURRENT
MAX_EVENTS = 2000
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 99999

mmohiuddin · ‎03-09-2015

Still I get only 704 lines indexed out of total of 1503 lines after applying the new props.conf on Indexer

edrivera3 · ‎04-09-2015

I have this conf and it worked for me.

SHOULD_LINEMERGE = true
BREAK__ONLY_BEFORE = (ADFASDFA)
NO_BINARY_CHECK = true
MAX_EVENT = 2000
is_valid = true
disabled = false
pulldown_type = true

Maybe there are something that you just don't need.

How to upload and index a text file containing more than 1500 lines without any line breaks?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to upload and index a text file containing more than 1500 lines without any line breaks?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0