Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Line Merge difficulties
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello helpful people,
I'm afraid I have an issue that is related to many questions already asked, but I have not been able to come up with a solution.
I have a log file that creates large events - more than 257 lines at a time.
To test the file, I took an extract and uploaded it manually. Using this file, I was able to create props.conf entry as shown below and the events ingested correctly, without breaking.
When I applied this to our clustered environment, the breaking has returned.
Events -
Show all 257 lines
Show all 257 lines
props.conf
[source::///xxxx/Log/xxxxServer.log]
SHOULD_LINEMERGE=true
MAX_EVENTS=10000
TIME_PREFIX=\+\+\+\+ \w+
The reason I am using source and not sourcetype is because this source file is common to a number of environments and I am already changing sourcetype using props and transforms to determine the sourcetype per servername.
Thanks in advance for help - much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
FYI - I have found the issue. Deliberate mistake? Maybe not, but it should have been obvious..
Original props.conf -
[source::///xxxx/Log/xxxxServer.log]
SHOULD_LINEMERGE=true
MAX_EVENTS=10000
TIME_PREFIX=\+\+\+\+ \w+
Working props.conf
[source::///xxxx/Log/xxxxServer.log]
SHOULD_LINEMERGE = true
MAX_EVENTS = 10000
TIME_PREFIX = \+\+\+\+ \w+
Yes, it was pesky spaces 🙂 Watch out for them! All now working as planned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
FYI - I have found the issue. Deliberate mistake? Maybe not, but it should have been obvious..
Original props.conf -
[source::///xxxx/Log/xxxxServer.log]
SHOULD_LINEMERGE=true
MAX_EVENTS=10000
TIME_PREFIX=\+\+\+\+ \w+
Working props.conf
[source::///xxxx/Log/xxxxServer.log]
SHOULD_LINEMERGE = true
MAX_EVENTS = 10000
TIME_PREFIX = \+\+\+\+ \w+
Yes, it was pesky spaces 🙂 Watch out for them! All now working as planned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway yes, props.conf is pushed from CM to indexers
The reason that the sourcetype is being set based on host name is because the sourcetype includes the environment - e.g. dev1, dev2, prod1, prod2 etc The source file has the same path and name on all servers. The consumers of the logs do not necessarily know which hosts make up which environment. Therefore, by including the environment in the sourcetype, the users can find their data more easily.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you apply the props.conf to your cluster? They should be installed on the indexers (pushed from the CM).
IMO, one should not be changing sourcetypes based on the server name. Source types refer to a kind of data. Kinds do not change because the server name changed. If you need to distinguish originating servers then use the host field.
If this reply helps you, Karma would be appreciated.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
