Splunk Enterprise
Highlighted

Universal Forwarder Multi-Line Event Line Breaking

Path Finder

Good morning all,

I have been beating my head against this issue for a week or more.  Let me give you the details.

We have one indexer and multiple Universal Forwarders in the field.  One of these forwarders I am running a scripted input to gather directory data for a file monitoring solution.

input.conf:

 

###### Scripted Input to monitor jpeg files
[script://.\bin\dircontents.bat]
disabled = 0
## Run once per minute
interval = 60
sourcetype = Script:dir_files
index = filewatch

 

dircontents.bat

 

@echo off
D:
cd /seed
dir /b

 

The forwarder gathers this data from the script:

 

24Aug2017.txt
24Jan2018.txt
28Jul2016.txt
28Jul2016.txt~
29Jan2018.txt
INCHARGE-AM-PM-AL.seedfile
INCHARGE-AM-PM-AZ.seedfile
INCHARGE-AM-PM-GA-FL.seedfile
INCHARGE-AM-PM.seedfile
MitchDRSite.list
rcp.list
TSM-seed.list

 

This data is one event with Multiple lines.  I want to bread on the line feeds.  That sounds simple enough.  

props.conf

 

[Script:dir_files]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
MAX_EVENTS = 10000
TRUNCATE = 0

 

After I deploy the configs to the UF, the data starts coming in as a single event with multiple lines.  Very frustrating!!!

I have tried many things, changed my regex around and I just can not find the solution.  

Any help would be appreciated at this time.

Let me know what you think

Rcp

 

0 Karma
Highlighted

Re: Universal Forwarder Multi-Line Event Line Breaking

SplunkTrust
SplunkTrust
Have you tried putting that props.conf file on the indexer?
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: Universal Forwarder Multi-Line Event Line Breaking

Path Finder

Rich,

I did have that thought this morning but wanted to get my question in.  I will try that and see what happens.

I would rather split the events on the UF before indexing.  That way I do not have to restart the production Splunk instance.

I'll try the props.conf on the indexer and will report the outcome.

 

Rcp

0 Karma
Highlighted

Re: Universal Forwarder Multi-Line Event Line Breaking

Path Finder

Well, that worked as expected.  The data broke on the line feeds at the indexer level.

I would still like to know if the data can be split up at the UF before sending the data.

 

Rcp

0 Karma
Highlighted

Re: Universal Forwarder Multi-Line Event Line Breaking

SplunkTrust
SplunkTrust
UFs don't do line breaking.
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.