Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set SHOULD_LINEMERGE = false as default when using monitor to upload data?

yunieyuna
New Member
‎04-07-2019 10:24 PM

Hi, I need to upload a bunch of logs into Splunk by using monitor directory function.
But the data will be merged together if the "SHOULD_LINEMERGE" set to "true". I already known how to set it when uploading one file, but not using "monitor.

Can any one please help me?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-08-2019 06:45 PM

Do not use the GUI for onboarding new data. Use the CLI and create an app with the settings that you need in the default folder.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎04-08-2019 05:53 AM

Hi,

In this case create new unique sourcetype and assign it to monitor stanza and on Indexer/Heavy Forwarder implement below config.

props.conf

[yourSourcetype]
SHOULD_LINEMERGE = false
0 Karma
Reply

yunieyuna
New Member
‎04-08-2019 05:33 PM

Hello Harsmarvania57,

Thank you so much for your answer!

Actually, I ran into another problem when I tried to create a new sourcetype.
I set SHOULD_LINEMERGE = false under the Advanced tab. However, every time I clicked Save button, the setting will automatically changed to "true". And the same situation happens again and again.

I added two screenshots as references.

Goal: ![alt text][https://ibb.co/0n5ngG3]
However: ![alt text][https://ibb.co/b1h5zjM]

0 Karma
Reply

harsmarvania57
Ultra Champion
‎04-09-2019 01:35 AM

As @woodcock suggested, it will be good to use CLI instead of GUI. Most of the work I do on CLI instead of GUI.

0 Karma
Reply

pir8radio
Path Finder
‎06-28-2021 08:51 AM

Then please include instructions how to do that in windows splunk.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...