Getting Data In

Why is the universal forwarder not forwarding some lines in my logs?

raiszani
New Member

I'd set up the universal forwarder to send my logs to another server and it's working, but it's losing part of some lines in the process, as shown in the image attached. Does anyone knows how to solve that?

alt text

0 Karma

deepthi5
Path Finder

Hello ,

It looks like the parsing rules for the events to break were not defined properly please use the below stanza in your props.conf file and save and restart you splunk service
Replace sourcetypename with the sourcetype name of your log

[sourcetypename]
TIME_FORMAT = %Y.%m.%d.%H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 23
NO_BINARY_CHECK = 1
pulldown_type = 1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE =^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\,\d{3}

0 Karma

raiszani
New Member

Thanks for your answer. I did it a try and still not working.
Actually i'm using 2 sourcetypes: CSV and Catalina

0 Karma

jkat54
SplunkTrust
SplunkTrust

Looks like a bad line_breaker regex. Can you post your props.conf from the forwarder & indexers? Or if you're in a single instance environment, just the props.conf?

0 Karma

raiszani
New Member

Sure. Here is the link:

http://pastebin.com/qkr7UBnW

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...