Domain Profile Settings:
----------------------------------------------------------------------
State ONPrivate Profile Settings:
----------------------------------------------------------------------
State ONPublic Profile Settings:
----------------------------------------------------------------------
State ON
Ok.
###### FirewallStatus ######
[source::...FirewallStatus.Log]
sourcetype = FirewallStatusLog
CHECK_METHOD = modtime
[FirewallStatusLog]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE= neverbreak
DATETIME_CONFIG = NONE
pulldown_type = true
[monitor://$SPLUNK_HOME\var\log\custom\FirewallStatus.log]
disabled = 0
sourcetype = FirewallStatusLog
The normal process for monitor inputs is to index events as they are added to the file. Splunk keeps track of its position in the file so events are not duplicated in the index.
If you need later updates to be included in the same event, consider having Splunk wait for additional data before indexing the file. See the multiline_event_extra_waittime and time_before_close settings in props.conf.
The normal process for monitor inputs is to index events as they are added to the file. Splunk keeps track of its position in the file so events are not duplicated in the index.
If you need later updates to be included in the same event, consider having Splunk wait for additional data before indexing the file. See the multiline_event_extra_waittime and time_before_close settings in props.conf.
I guess that worked. I found these settings in inputs.conf file and not in props.conf file.
Thanks.!