HI,
does anyone know why when i use data preview or a manually upload the file and apply a custom json sourcetype everything seems to be fine and splunk is recognizing an event per line, but when i monitor a file from a remote server i can see in the index the exact number of event that i have in the remote file but the search only show 1 event
in the remote inputs.conf file i have specified the name of the sourcetype i want to use
[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors
sourcetype = ErrorLog_json
thanks for your help...
the client machine has an universal forwarded installed, and the inputs.conf has the following
[monitor://X:\Logs\Website]
disabled = false
index = sandbox_webservers_logs_errors
whitelist = errors
sourcetype = ErrorLog_json
the index database shows 177 events which is correct then when i go to the search bar and i type the following it only give 1 line
index="sandbox_webservers_logs_errors" sourcetype="ErrorLog_json"
If your data is going through a heavy forwarder before it gets to your indexer, then you will need to put your [ErrorLog_json]
sourcetype stanza on that heavy forwarder.