Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON - different output in the data preview and monitored files

abilis
Explorer
‎02-05-2019 01:37 PM

HI,

does anyone know why when i use data preview or a manually upload the file and apply a custom json sourcetype everything seems to be fine and splunk is recognizing an event per line, but when i monitor a file from a remote server i can see in the index the exact number of event that i have in the remote file but the search only show 1 event

alt text

in the remote inputs.conf file i have specified the name of the sourcetype i want to use

[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors

sourcetype = ErrorLog_json

thanks for your help...

Tags (1)
Preview file
15 KB
0 Karma
Reply

abilis
Explorer
‎02-05-2019 02:17 PM

the client machine has an universal forwarded installed, and the inputs.conf has the following

[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors
sourcetype = ErrorLog_json

the index database shows 177 events which is correct then when i go to the search bar and i type the following it only give 1 line

alt text

index="sandbox_webservers_logs_errors" sourcetype="ErrorLog_json"

Preview file
60 KB
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 01:41 PM

If your data is going through a heavy forwarder before it gets to your indexer, then you will need to put your [ErrorLog_json] sourcetype stanza on that heavy forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...