Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

LINE_BREAKER for input on an universal forwarder?

dominiquevocat
SplunkTrust
SplunkTrust
‎01-09-2014 07:57 AM

I have a few universal forwarders which tail a folder structure. They send the data to a indexer where also a searchhead is enabled.

I need to specify in props.conf a linebreaker like so

[xXx]
BREAK_ONLY_BEFORE = Event[
NO_BINARY_CHECK = 1 SHOULD_LINEMERGE =
true

I am confused as to where i have to specify this meaning in what place i have to add it to a props.conf.

Not on the universal forwarder i gather... but where on the indexer? in $splunkhome$/etc/apps/Splunk/Forwarder ???

To contain all the configuration items for that source/usergroup i created an app and placed this snipped in the apps' /local/props.conf but it fails to separate the events by the string and insted opts for the default which is the timestamp roughly two lines below. (hint: the source is a windows eventlog export that is stripped from the xml for readibility, we feed end user workstations' eventlogs to splunk via a custom store-and-forward mechanism)

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-09-2014 10:09 AM

Two things,

Does your regex match? I should recommend that you escape the opening square bracket, as it has special meaning in regex, like so;

[xXx]
BREAK_ONLY_BEFORE = Event\[

SHOULD_LINEMERGE = true is a default setting, so it is not strictly needed.

NO_BINARY_CHECK = 1 is only relevant in the input phase, so keep it there if your indexer is reading the files locally. If they're coming from a forwarder, this setting is ignored. But it won't hurt anything.

Alternatively:

Do you have the same [xXx] stanza configured anywhere with the BREAK_ONLY_BEFORE parameter set in a props.conf file that has higher precedence?

/etc/system/local

beats

/etc/apps/app_name/local

which in turn beats

/etc/system/default

See the docs on configuration file precedence;

http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles

/K

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎01-10-2014 02:01 AM

for now i get very few logs (once per day a few events) till we ramp up so testing has been difficult. It would seem that the last change took a while to have effect. The last change was placing the props.conf into the custom app on the indexer. It should have worked before but perhaps it was just bad timing... ??? will continue to watch it. Thanks for the reply anyway.

0 Karma
Reply

gfuente
Motivator
‎01-09-2014 08:00 AM

Under any app, in the local folder for example. Like:
$splunkhome$/etc/apps/search/local

or

$splunkhome$/etc/apps/myapp/local

It will work anyway

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎01-09-2014 08:55 AM

cool. that is what i did... why doesn't it work? 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...