Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

File input buffer size vs reading file in with modular input

kuokhoet
New Member
‎11-21-2017 08:52 AM

I have a set of files that need some processing before indexing with Splunk. The multi line events can be broken out by the "Date\/Time:" regex. I was playing around with python modular input and used the following code to read the file in:

with open('text.log', 'r') as f:
    for line in f:
        event = Event()                
        event.stanza = input_name
        event.data = line
        event.sourceType = 'mylog_event'
        event.index = 'mylog_index'
        ew.write_event(event)

props.conf:

[mylog_event]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = My Log Events
pulldown_type = 1
disabled = false
BREAK_ONLY_BEFORE = Date\/Time:

When I use the modular input, the events are not broken out correctly and they are all single line each. Looking at the source of the event, each source is 10 lines. With the same props.conf file when I upload the file using the default file input, the events are broken out correctly and when looking at the sources they are all a multiple of the lines in each event.

How do I check how the default file input complete props.conf is?
What changes the number of lines grouped into a source event when reading from a file?

Thanks.

0 Karma
Reply

kuokhoet
New Member
‎11-27-2017 07:06 AM

After searching and some trial and error I found the btool command that seems to show the layering for each sourcetype and their full props.conf properties. I was using this with Splunk Enterprise 7.0.

  1. $SPLUNK_HOME/bin/splunk cmd btools props list --debug This will list out the full props.conf for all supported sourcetype. The --debug option will show which props.conf file contributed to each property.
  2. $SPLUNK_HOME/bin/splunk cmd btools props list list --debug This will list the full props.conf used for the sourcetype that the pattern matches.
  3. $SPLUNK_HOME/bin/splunk cmd btools --app= props list list --debug Specify the specific app context to list the props.conf for the matching sourcetype.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...