Splunk not treating each line as event after forwa...

jamesvz84 · ‎02-05-2014

Hello,

I have a log where I need to treat each line as an event. I set up the sourcetype in props.conf for this to happen and it works fine on a standalone Splunk instance. However, when I try this with a Universal Forwarder sending to an intermediate heavy forwarder, then on to the indexer, it doesn't work in making each line an event. Below are my props.conf entries. I have props.conf on both the universal forwarder and indexer (but not on intermediate heavy forwarder). In inputs.conf. I have set the input to have this sourcetype:

props.conf:
[sep_syslog]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
EXTRACT-messsage = (?i)^(?:[^\t]*\t){6}(?P<messsage>.+)

Am I missing anything here? Should I also put props.conf on intermediate forwarder? Again, this works fine on a standalone instance.

alacercogitatus · ‎02-05-2014

You will need to match all props and transforms on the indexer and the heavy forwarder. The processing is done on heavy forwarder for events sent there, and on the indexer for events send directly there. I use Deployment Server to keep them all coordinated.

somesoni2 · ‎02-05-2014

Universal forwarder don't do any parsing hence, keep the props.conf to intermediate heavy forwarder and indexer.

Splunk not treating each line as event after forwarding

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation