Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

File input buffer size vs reading file in with modular input

kuokhoet
New Member
‎11-21-2017 08:52 AM

I have a set of files that need some processing before indexing with Splunk. The multi line events can be broken out by the "Date\/Time:" regex. I was playing around with python modular input and used the following code to read the file in:

with open('text.log', 'r') as f:
    for line in f:
        event = Event()                
        event.stanza = input_name
        event.data = line
        event.sourceType = 'mylog_event'
        event.index = 'mylog_index'
        ew.write_event(event)

props.conf:

[mylog_event]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = My Log Events
pulldown_type = 1
disabled = false
BREAK_ONLY_BEFORE = Date\/Time:

When I use the modular input, the events are not broken out correctly and they are all single line each. Looking at the source of the event, each source is 10 lines. With the same props.conf file when I upload the file using the default file input, the events are broken out correctly and when looking at the sources they are all a multiple of the lines in each event.

How do I check how the default file input complete props.conf is?
What changes the number of lines grouped into a source event when reading from a file?

Thanks.

0 Karma
Reply

kuokhoet
New Member
‎11-27-2017 07:06 AM

After searching and some trial and error I found the btool command that seems to show the layering for each sourcetype and their full props.conf properties. I was using this with Splunk Enterprise 7.0.

  1. $SPLUNK_HOME/bin/splunk cmd btools props list --debug This will list out the full props.conf for all supported sourcetype. The --debug option will show which props.conf file contributed to each property.
  2. $SPLUNK_HOME/bin/splunk cmd btools props list list --debug This will list the full props.conf used for the sourcetype that the pattern matches.
  3. $SPLUNK_HOME/bin/splunk cmd btools --app= props list list --debug Specify the specific app context to list the props.conf for the matching sourcetype.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...