Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Line breaking issue with [source] stanza (with [sourcetype] stanza working fine

Naa_Win
Path Finder
‎07-06-2023 01:13 PM

We are trying to do custom linebreaking for different types of logs under the same sourcetype using the props below.

The linebreaking in first stanza declared for the sourcetype is working fine, but none of the stanzas for [souce://] are breaking the events correctly, the entire file is getting ingested as a single event.

All the files under this sourcetype are coming in from the same directory, we have tried assigning priorities and deploying it on both forwarder and indexer, but it still doesn’t work.

Have any of you faced a similar issue before? Can you please help us resolve this.


[MY_SRCTYPE]

SHOULD_LINEMERGE=false

LINE_BREAKER=(\~|\r\n)ST\*834\*

NO_BINARY_CHECK=true

TRUNCATE=999999

CHARSET=UTF-8

priority = 1

 

[source::/mysource/ToSplunk/*.xml.*.edi]

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n\s]+)\<Policy\>[\r\n\s]+

NO_BINARY_CHECK=true

TRUNCATE=999999

CHARSET=UTF-8

priority = 5

 

[source::/mysource/ToSplunk/*.COMPARE.xml.*.edi]

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n\s]+)\<CompareMissing\>[\r\n\s]+

NO_BINARY_CHECK=true

TRUNCATE=999999

CHARSET=UTF-8

priority = 6

 

[source::/mysource/ToSplunk/*.xml.edi]

SHOULD_LINEMERGE=false

LINE_BREAKER=([\r\n\s])+\<Policy\s+

NO_BINARY_CHECK=true

TRUNCATE=999999

CHARSET=UTF-8

priority = 7

 

[source::/mysource/ToSplunk/*.RCNO*.P.OUT.*]

SHOULD_LINEMERGE=true

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

TRUNCATE=999999

CHARSET=UTF-8

priority = 8

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2023 01:45 PM

Hi

this is interesting. Source::xyz always overrides sourcetype on props.conf. Then inside type (source,sourcetype,host) priority set the precedence if I understand correctly what is said on docs.

But maybe there is error on docs and priority also overrides over types? Could you drop priority attributes away from props, restart and try again?

r. Ismo

0 Karma
Reply

Naa_Win
Path Finder
‎07-06-2023 02:53 PM

Also, 

 [<spec>] stanzas with [source::<source>] patterns take priority over
stanzas with [host::<host>] and [<sourcetype>] patterns, regardless of their
respective priority key values.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2023 03:40 PM

Based on this, there is needs to update docs! Can you send notice/question on props.conf documentation based on your experience?

Can you share log file names and also som content of those?

0 Karma
Reply

Naa_Win
Path Finder
‎07-06-2023 02:24 PM

Hello @isoutamo 

Thanks for your reply, I tried removing the "priority" attributes  from the props.conf. I see no events are ingesting into splunk now. 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...