Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to line merge only a specific extracted sourcetype and not apply it to the entire source input from UDP:514

sab057
Explorer
‎02-04-2015 05:45 PM

Hi there, I am in the situation where a number of devices are forwarding to splunk on UDP:514. I can easily enough create new sourcetypes for them, however with one of these sourcetypes, namely my DHCP sourcetype, I need to be able to linemerge just this sourcetype and not the others. I was previously able to accomplish this by applying this in props.conf:

[source::UDP:514]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = notification

But of course, that line-merges all the other sourcetypes in UDP:514 as well.

Is there a way to line merge only a specific extracted sourcetype and not blanket apply it to the entire source input?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:04 PM

First off, read this: http://www.georgestarcher.com/splunk-success-with-syslog/

You can specify props.conf settings on a per-sourcetype basis - I'd even say that's the most common approach.

[your_sourcetype]
SHOULD_LINEMERGE = True
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...