Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not treating each line as event after forwarding

jamesvz84
Communicator
‎02-05-2014 07:07 AM

Hello,

I have a log where I need to treat each line as an event. I set up the sourcetype in props.conf for this to happen and it works fine on a standalone Splunk instance. However, when I try this with a Universal Forwarder sending to an intermediate heavy forwarder, then on to the indexer, it doesn't work in making each line an event. Below are my props.conf entries. I have props.conf on both the universal forwarder and indexer (but not on intermediate heavy forwarder). In inputs.conf. I have set the input to have this sourcetype:

props.conf:
[sep_syslog]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
EXTRACT-messsage = (?i)^(?:[^\t]*\t){6}(?P<messsage>.+)

Am I missing anything here? Should I also put props.conf on intermediate forwarder? Again, this works fine on a standalone instance.

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-05-2014 09:09 AM

You will need to match all props and transforms on the indexer and the heavy forwarder. The processing is done on heavy forwarder for events sent there, and on the indexer for events send directly there. I use Deployment Server to keep them all coordinated.

Reply

somesoni2
Revered Legend
‎02-05-2014 07:39 AM

Universal forwarder don't do any parsing hence, keep the props.conf to intermediate heavy forwarder and indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...