I am attempting to parse windows DHCP data, for those who aren't familiar with the format, the logs have a description which never changes from lines 1-32 of every file, on line 33 is the header and then from there is the data in csv format, delimited by a comma. My props.conf definition is below,
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This works flawlessly when I manually upload this on the GUI on my searchead, but when I place it in the props.conf file on my indexers, it doesn't parse the data. It just treats one line as one event. Is there something obvious I am missing ?
In the props.conf documentation that describes "INDEXED_EXTRACTIONS" and "HEADER_FIELD_LINE_NUMBER", the introductory comments say:
This feature and all of its settings apply at input time, when data is
first read by Splunk. The setting is used on a Splunk system that has
configured inputs acquiring the data.
So, you probably need the following
inputs.conf on the forwarder
[monitor:///thepathtotheDHCPlogs]
sourcetype=dhcp:script_output
props.conf on the forwarder
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
INDEXED_EXTRACTIONS=csv
props.conf on the indexer
[dhcp:script_output]
CHARSET=UTF-8
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This is why it worked when you manually uploaded the data, but not when you did it the "normal way" - some of the settings must happen at input time (forwarder), and some at parsing time (indexer), and some at search time (search head).
HTH
In the props.conf documentation that describes "INDEXED_EXTRACTIONS" and "HEADER_FIELD_LINE_NUMBER", the introductory comments say:
This feature and all of its settings apply at input time, when data is
first read by Splunk. The setting is used on a Splunk system that has
configured inputs acquiring the data.
So, you probably need the following
inputs.conf on the forwarder
[monitor:///thepathtotheDHCPlogs]
sourcetype=dhcp:script_output
props.conf on the forwarder
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
INDEXED_EXTRACTIONS=csv
props.conf on the indexer
[dhcp:script_output]
CHARSET=UTF-8
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This is why it worked when you manually uploaded the data, but not when you did it the "normal way" - some of the settings must happen at input time (forwarder), and some at parsing time (indexer), and some at search time (search head).
HTH
worked perfectly - thank you!