Solved: Props.conf file changes

prathapkcsc · ‎06-29-2017

Hi,
my sample data like this
101,Mango,0.40%
102,Orange,0.70%
It is coming as a single event, as i want to split into multiple events based on new line escape character.
What changes do i need to made in props.conf file
My sourcetype is "abc"
My props.conf looks like this
props.conf:
[abc]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)

Anyone help me?
Thank you.

woodcock · ‎06-29-2017

That should do it. so check these:

The props.conf file is deployed to your indexing servers (usually Indexers, occasionally Heavy Forwarders).
Ensure that there are no competing entries for your sourcetype ( $SPLUNK_HOME/bin/splunk cmd btool props list abc ).
Ensure that the sourcetype values match EXACTLY (case matters).
Restart all splunk instances after the file is deployed.
When you test/evaluate your change, check ONLY events that have been forwarded after the restarts (older/previous events will stay broken); you can use _index_earliest=-5m or similar to ensure this.

View solution in original post

woodcock · ‎06-29-2017

That should do it. so check these:

The props.conf file is deployed to your indexing servers (usually Indexers, occasionally Heavy Forwarders).
Ensure that there are no competing entries for your sourcetype ( $SPLUNK_HOME/bin/splunk cmd btool props list abc ).
Ensure that the sourcetype values match EXACTLY (case matters).
Restart all splunk instances after the file is deployed.
When you test/evaluate your change, check ONLY events that have been forwarded after the restarts (older/previous events will stay broken); you can use _index_earliest=-5m or similar to ensure this.

prathapkcsc · ‎06-29-2017

Working now, I just restarted the splunkd service.
Thanks for your help!

Props.conf file changes

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!