Splunk Search

Is there an option to do an event break at the end of file (txt file)?

Contributor

I have a folder which contains multiple text files. I want to import these files into Splunk as events. which means each text file is 1 event. Each text file may have around 200 lines or less. Splunk seems to automatically split 1 text file to many events. What can I do to make Splunk recognize each file is an event?
*Note: each file could end with anythings, there is no specific ending pattern in the text file.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can use BREAK_ONLY_BEFORE with an impossible string (well, relatively impossible) and it should look through the whole file without finding it and voila, you have a single file going into Splunk as a single event.

View solution in original post

SplunkTrust
SplunkTrust

You can use BREAK_ONLY_BEFORE with an impossible string (well, relatively impossible) and it should look through the whole file without finding it and voila, you have a single file going into Splunk as a single event.

View solution in original post

Contributor

@cpetterborg: thank you so much. It's work. Is it ok if you post your answer below so I could accept it?

0 Karma

SplunkTrust
SplunkTrust

Here you go.

0 Karma

Influencer

Does the text file start with a specific pattern?

You can play around with combination of below properties

BREAK_ONLY_BEFORE
TRUNCATE
SHOULD_LINEMERGE

http://docs.splunk.com/Documentation/Splunk/6.6.3/Admin/Propsconf

Contributor

the file usually starts with the text File version. I don't know what could I do if it doesn't have a specific pattern at the end in which I thought we need that to do an event break.

0 Karma

Motivator

All of these settings need to be on your indexer. It will make no difference if you put them on your search head.

0 Karma