how can I set line breaking for no of files having...

john · ‎05-04-2012

All the below folders are from same source
eg:source="parent\\.\*."

folder name fileextension linebreaking
04/04/12 x.log Breaking on date for x
y.log Breaking on some string for y
z.log another line breaker for z

05/04/12 x.log Breaking on date for x

                                 y.log                 Breaking on some string for y

................so on
Please tell me the procedure how to configure both props and input.config or any other config files for the same.

Props.cofig
Source::....
sourcetype=...
[sourcetype]
linebreaking

input.cofig
monitor::/parent
priority=1
crcs...

This is my props and input.config files.How to create sourcetype for different files in a same folder instead of creating soucetype for each file seperatly in Datainputs.If we create source type mnually through datainputs then only splunk will identify the sourcetype or what?

kristian_kolb · ‎05-04-2012

One way to solve it;

inputs.conf

[monitor:///parent/a/*.log]
sourcetype=type_a

[monitor:///parent/b/*.log]
sourcetype=type_b

props.conf

[type_a]
BREAK_ONLY_BEFORE_DATE = true

[type_b]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)your_other_string_to_break_before

Hope this helps,

Kristian

john · ‎05-04-2012

Thanks kristian,sorry i forgot to mention that iam having same x.log extension file on other folder also i mean iam getting log on basis of each date.And iam copy that to one folder like Parent folder having

a,d,c folder all files having same extension and same line breaking.Please check i have edited my queries.

how can I set line breaking for no of files having same extension in different folders under one sorce folder

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3