Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: sourcetype isn't parsing DHCP data correctlyon...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am attempting to parse windows DHCP data, for those who aren't familiar with the format, the logs have a description which never changes from lines 1-32 of every file, on line 33 is the header and then from there is the data in csv format, delimited by a comma. My props.conf definition is below,
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This works flawlessly when I manually upload this on the GUI on my searchead, but when I place it in the props.conf file on my indexers, it doesn't parse the data. It just treats one line as one event. Is there something obvious I am missing ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the props.conf documentation that describes "INDEXED_EXTRACTIONS" and "HEADER_FIELD_LINE_NUMBER", the introductory comments say:
This feature and all of its settings apply at input time, when data is
first read by Splunk. The setting is used on a Splunk system that has
configured inputs acquiring the data.
So, you probably need the following
inputs.conf on the forwarder
[monitor:///thepathtotheDHCPlogs]
sourcetype=dhcp:script_output
props.conf on the forwarder
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
INDEXED_EXTRACTIONS=csv
props.conf on the indexer
[dhcp:script_output]
CHARSET=UTF-8
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This is why it worked when you manually uploaded the data, but not when you did it the "normal way" - some of the settings must happen at input time (forwarder), and some at parsing time (indexer), and some at search time (search head).
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the props.conf documentation that describes "INDEXED_EXTRACTIONS" and "HEADER_FIELD_LINE_NUMBER", the introductory comments say:
This feature and all of its settings apply at input time, when data is
first read by Splunk. The setting is used on a Splunk system that has
configured inputs acquiring the data.
So, you probably need the following
inputs.conf on the forwarder
[monitor:///thepathtotheDHCPlogs]
sourcetype=dhcp:script_output
props.conf on the forwarder
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
INDEXED_EXTRACTIONS=csv
props.conf on the indexer
[dhcp:script_output]
CHARSET=UTF-8
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This is why it worked when you manually uploaded the data, but not when you did it the "normal way" - some of the settings must happen at input time (forwarder), and some at parsing time (indexer), and some at search time (search head).
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
worked perfectly - thank you!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
