Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not treating each line as event after forwarding

jamesvz84
Communicator
‎02-05-2014 07:07 AM

Hello,

I have a log where I need to treat each line as an event. I set up the sourcetype in props.conf for this to happen and it works fine on a standalone Splunk instance. However, when I try this with a Universal Forwarder sending to an intermediate heavy forwarder, then on to the indexer, it doesn't work in making each line an event. Below are my props.conf entries. I have props.conf on both the universal forwarder and indexer (but not on intermediate heavy forwarder). In inputs.conf. I have set the input to have this sourcetype:

props.conf:
[sep_syslog]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
EXTRACT-messsage = (?i)^(?:[^\t]*\t){6}(?P<messsage>.+)

Am I missing anything here? Should I also put props.conf on intermediate forwarder? Again, this works fine on a standalone instance.

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-05-2014 09:09 AM

You will need to match all props and transforms on the indexer and the heavy forwarder. The processing is done on heavy forwarder for events sent there, and on the indexer for events send directly there. I use Deployment Server to keep them all coordinated.

Reply

somesoni2
Revered Legend
‎02-05-2014 07:39 AM

Universal forwarder don't do any parsing hence, keep the props.conf to intermediate heavy forwarder and indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...