Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to line merge only a specific extracted sourcetype and not apply it to the entire source input from UDP:514

sab057
Explorer
‎02-04-2015 05:45 PM

Hi there, I am in the situation where a number of devices are forwarding to splunk on UDP:514. I can easily enough create new sourcetypes for them, however with one of these sourcetypes, namely my DHCP sourcetype, I need to be able to linemerge just this sourcetype and not the others. I was previously able to accomplish this by applying this in props.conf:

[source::UDP:514]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = notification

But of course, that line-merges all the other sourcetypes in UDP:514 as well.

Is there a way to line merge only a specific extracted sourcetype and not blanket apply it to the entire source input?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:04 PM

First off, read this: http://www.georgestarcher.com/splunk-success-with-syslog/

You can specify props.conf settings on a per-sourcetype basis - I'd even say that's the most common approach.

[your_sourcetype]
SHOULD_LINEMERGE = True
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...