Hello,
I would like to reach out for some help in creating a custom sourcetype (cloned from _json), I'm calling it "ibcapacity". I've tried to edit the settings under this new sourcetype but my results are even more broken.
The output of the file is formatted correctly in _json (the jq checks come back all good); but when using the _json default sourcetype, the Splunk event gets cut off at 349 lines (the entire file is 392 lines); and the other problem using the standard _json format is that its not fully "color coding" the KVs...but that could be due to the fact that the end brackets aren't in the Splunk event because it was cut off at 349 lines.
So my solution was to try to create a custom sourcetype (cloned from _json), I'm calling it "ibcapacity". I've tried to edit the settings under this new sourcetype but my results are even more broken.
Here is the event when searched in the standard _json sourcetype:
However, the rest of the file has this at the end (past line 349), which doesn't show up in the Splunk event:
],
"percent_used": 120,
"role": "Grid Master",
"total_objects": 529020
}
]Can this community please help to identify what the correct settings should be for my custom sourcetype, ibcapacity? Why is the Splunk log getting cut off at 349 lines when using sourcetype=_json?
Thank you.
I did something here, I put the props.conf on the ~local on the Splunk UF host where the script is being run:
[ibcapacity]
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE =
CHARSET = AUTO
DATETIME_CONFIG =
DEPTH_LIMIT = 1000
DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
HEADER_MODE =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LB_CHUNK_BREAKER_TRUNCATE = 2000000
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER = ([\r\n]+)
LINE_BREAKER_LOOKBEHIND = 100
MATCH_LIMIT = 100000
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 512
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
NO_BINARY_CHECK = true
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = false
TRANSFORMS =
TRUNCATE = 10000
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
detect_trailing_nulls = false
disabled = false
maxDist = 100
priority =
pulldown_type = true
sourcetype =
termFrequencyWeightedDist = falseand then restarted the Splunk UF on the host, and ran the script again...it did do the same exact thing as the _json sourcetype, where it cut it off at 349 lines. So then I deleted about 60 lines and ensured that the brackets all closed, let the Splunk UF read the file again, and now it did perform the correct _json like parsing for the custom sourcetype, ibcapacity:
Is there anyway to ensure that Splunk will read the entire 392 lines?
Thanks for the suggestion, I did update the settings on my custom sourcetype, ibcapacity, where the btool command was identical to that of _json's btool command, and it was doing exactly as before, linebreaking every line:
I'm sure there is a line break issue here, but I'm not sure how to implement it.
