JSON - different output in the data preview and mo...

abilis · ‎02-05-2019

HI,

does anyone know why when i use data preview or a manually upload the file and apply a custom json sourcetype everything seems to be fine and splunk is recognizing an event per line, but when i monitor a file from a remote server i can see in the index the exact number of event that i have in the remote file but the search only show 1 event

in the remote inputs.conf file i have specified the name of the sourcetype i want to use

[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors

sourcetype = ErrorLog_json

thanks for your help...

abilis · ‎02-05-2019

the client machine has an universal forwarded installed, and the inputs.conf has the following

[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors
sourcetype = ErrorLog_json

the index database shows 177 events which is correct then when i go to the search bar and i type the following it only give 1 line

index="sandbox_webservers_logs_errors" sourcetype="ErrorLog_json"

chrisyounger · ‎02-05-2019

If your data is going through a heavy forwarder before it gets to your indexer, then you will need to put your [ErrorLog_json] sourcetype stanza on that heavy forwarder.

JSON - different output in the data preview and monitored files

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!