Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not treating each line as event after forwarding

jamesvz84
Communicator
‎02-05-2014 07:07 AM

Hello,

I have a log where I need to treat each line as an event. I set up the sourcetype in props.conf for this to happen and it works fine on a standalone Splunk instance. However, when I try this with a Universal Forwarder sending to an intermediate heavy forwarder, then on to the indexer, it doesn't work in making each line an event. Below are my props.conf entries. I have props.conf on both the universal forwarder and indexer (but not on intermediate heavy forwarder). In inputs.conf. I have set the input to have this sourcetype:

props.conf:
[sep_syslog]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
EXTRACT-messsage = (?i)^(?:[^\t]*\t){6}(?P<messsage>.+)

Am I missing anything here? Should I also put props.conf on intermediate forwarder? Again, this works fine on a standalone instance.

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-05-2014 09:09 AM

You will need to match all props and transforms on the indexer and the heavy forwarder. The processing is done on heavy forwarder for events sent there, and on the indexer for events send directly there. I use Deployment Server to keep them all coordinated.

Reply

somesoni2
Revered Legend
‎02-05-2014 07:39 AM

Universal forwarder don't do any parsing hence, keep the props.conf to intermediate heavy forwarder and indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...