Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON - different output in the data preview and monitored files

abilis
Explorer
‎02-05-2019 01:37 PM

HI,

does anyone know why when i use data preview or a manually upload the file and apply a custom json sourcetype everything seems to be fine and splunk is recognizing an event per line, but when i monitor a file from a remote server i can see in the index the exact number of event that i have in the remote file but the search only show 1 event

alt text

in the remote inputs.conf file i have specified the name of the sourcetype i want to use

[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors

sourcetype = ErrorLog_json

thanks for your help...

Tags (1)
Preview file
15 KB
0 Karma
Reply

abilis
Explorer
‎02-05-2019 02:17 PM

the client machine has an universal forwarded installed, and the inputs.conf has the following

[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors
sourcetype = ErrorLog_json

the index database shows 177 events which is correct then when i go to the search bar and i type the following it only give 1 line

alt text

index="sandbox_webservers_logs_errors" sourcetype="ErrorLog_json"

Preview file
60 KB
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 01:41 PM

If your data is going through a heavy forwarder before it gets to your indexer, then you will need to put your [ErrorLog_json] sourcetype stanza on that heavy forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...