Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to line merge only a specific extracted sourcetype and not apply it to the entire source input from UDP:514

sab057
Explorer
‎02-04-2015 05:45 PM

Hi there, I am in the situation where a number of devices are forwarding to splunk on UDP:514. I can easily enough create new sourcetypes for them, however with one of these sourcetypes, namely my DHCP sourcetype, I need to be able to linemerge just this sourcetype and not the others. I was previously able to accomplish this by applying this in props.conf:

[source::UDP:514]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = notification

But of course, that line-merges all the other sourcetypes in UDP:514 as well.

Is there a way to line merge only a specific extracted sourcetype and not blanket apply it to the entire source input?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:04 PM

First off, read this: http://www.georgestarcher.com/splunk-success-with-syslog/

You can specify props.conf settings on a per-sourcetype basis - I'd even say that's the most common approach.

[your_sourcetype]
SHOULD_LINEMERGE = True
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...