Splunk not treating each line as event after forwa...

jamesvz84 · ‎02-05-2014

Hello,

I have a log where I need to treat each line as an event. I set up the sourcetype in props.conf for this to happen and it works fine on a standalone Splunk instance. However, when I try this with a Universal Forwarder sending to an intermediate heavy forwarder, then on to the indexer, it doesn't work in making each line an event. Below are my props.conf entries. I have props.conf on both the universal forwarder and indexer (but not on intermediate heavy forwarder). In inputs.conf. I have set the input to have this sourcetype:

props.conf:
[sep_syslog]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
EXTRACT-messsage = (?i)^(?:[^\t]*\t){6}(?P<messsage>.+)

Am I missing anything here? Should I also put props.conf on intermediate forwarder? Again, this works fine on a standalone instance.

alacercogitatus · ‎02-05-2014

You will need to match all props and transforms on the indexer and the heavy forwarder. The processing is done on heavy forwarder for events sent there, and on the indexer for events send directly there. I use Deployment Server to keep them all coordinated.

somesoni2 · ‎02-05-2014

Universal forwarder don't do any parsing hence, keep the props.conf to intermediate heavy forwarder and indexer.

Splunk not treating each line as event after forwarding

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life