Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to tell forwarder to wait for a cr/nl

a212830
Champion
‎11-29-2013 04:43 PM

Hi,

I have a logfile which is single-line and well structured, but the feed doesn't always write out entire lines. I might get 10 lines (with cr/lf) and then half a line, until the next "batch" of data comes in. As a result, I'm getting events with only half of the data sometimes. How do i tell the forwarder to wait until a cr/lf comes in, and don't process it until that happens?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 06:32 PM

If this is a problem of lines partially written, check the option time_before_close in the inputs.conf
and increase the time to wait before considering a line to be finalized.

http://docs.splunk.com/Documentation/Splunk/6.0/admin/Inputsconf

Reply

a212830
Champion
‎11-30-2013 06:59 AM

OK. It works, but it almost seems like it goes into "sleep" and then wakes up and reads the file, which, while it works, leaves me behind a batch of entries. Is there a way to tell it to break before the beginning of every line, but only if it contains a timestamp? The file is very well structured - timestamp|field|value|field|value

Here's a sample:

1385823300000|132210|NormalizedMemoryInfo|Free|287534508|Memory|testdevice|Enhanced-MemoryPool: Processor 3012.1

1385823300000|132210|NormalizedMemoryInfo|Utilization|23.67089250345821|Memory|testdevice2|Enhanced-MemoryPool: Processor 3012.1

0 Karma
Reply

jtacy
Builder
‎11-30-2013 06:31 AM

Please move that config to inputs.conf in the affected stanza and restart the indexer.

0 Karma
Reply

a212830
Champion
‎11-30-2013 05:54 AM

Tried it, but it was flagged as a possible type error after starting up the indexer.

Here's the props.conf entry:

[snmpinfo]
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = 1
TIME_PREFIX = ^
TIME_FORMAT = %s%3N
time_before_close = 310

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...