Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem of indexing data in indexer

sieutruc
Contributor
‎11-09-2012 08:24 AM

Hello ,

I get a problem of indexing data in indexer.
I have a file test.csv. When i monitored it locally in indexer with sourcetype substate ( configured in props.conf in indexer), indexer can parse data basing those fields inside props(ex:SHOULD_LINEMERGE=false)

But if i use Universal Forwarder (UF) to monitor that csv file,its entire data content is sent to indexer without using SHOULD_LINEMERGE=false above.

i know that at parsing time, we can configure in indexer, heavy forwarder, but impossible in UF.

So how can i configure to let Splunk indexer be able to index it correctly ?

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-09-2012 08:49 AM

Parse-time rules would still apply where the parsing is done. In environments where the forwarders are Universal Forwarders (UF), the parsing occurs on the indexer. Note that the inputs.conf on the UF may set a sourcetype--it is the rules for this sourcetype that would be applied at parse time.

0 Karma
Reply

ClementG
Path Finder
‎11-09-2012 02:06 PM

You have to do it on the Heavy Forwarder, you can set your stanza on either the sourcetype or the source of the file.

Reply

sieutruc
Contributor
‎11-09-2012 12:49 PM

In fact, my Splunk deployment is a bit more complicated. There is a intermediate forwarder(heavy forwarder) that will forward data from UF to indexer. I see 2 event from UF with the same sourcetype substate, but one seemed not to be applied sourcetype into.

So do i need to configure the same props in intermediate forwarder ?

0 Karma
Reply

ClementG
Path Finder
‎11-09-2012 08:48 AM

Hi,

You can add a props.conf on the indexer with a stanza on the specified sourcetype, source or host.

E.G.

[source::my.csv]
SHOULD_LINEMERGE = false

http://splunk-base.splunk.com/answers/48280/forwarder-configuration

Regards

Clement

0 Karma
Reply

sieutruc
Contributor
‎11-09-2012 12:46 PM

yes, i did, but it's not totally working

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...