Re: entire file to a single event

722624 · ‎07-14-2017

SHOULD_LINEMERGE = true
MAX_EVENTS = 99999
TRUNCATE = 9999999

SHOULD_LINEMERGE = false
LINE_BREAKER = ((FAIL*))

I have tried both of above (trying each one at a time) in indexer props.conf ...and restarted splunk..to have a simple text file , entire file to go to single event but whatever I do splunk automatically splitting the file into 2 events
Is there any way to have the entire file to single event

Thank you in advance
AB

722624 · ‎07-17-2017

surprisingly...If i download the file to my PC and upload with same source type then it is reading entire file as single event....
But if the same log file is coming from forwarder, then file is being split into 2 event...

Anybody? please help

Thank you
AB

bic · ‎07-17-2017

please check the queue size from the forwarder , try indexing a smaller file and see if that is coming through in one piece

722624 · ‎07-17-2017

this file is 90 lines only hardly 4kb in size....

722624 · ‎07-17-2017

Actually documentation asked to have SHOULD_LINEMERGE= false for LINE_BREAKER ...
anyways tried your suggestion also ...
No Luck 😞

Thank you
AB

bic · ‎07-16-2017

SHOULD_LINEMERGE= TRUE, try with that

722624 · ‎07-16-2017

[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (.*?)

I tried the above... still file is split into two events....the same regex (.*?) in regex101.com is selecting the entire file

Thank you
AB

bic · ‎07-14-2017

in the LINE_BREAKER you can use regular expression to match end of file , something like (.*?) . Hope that should not break your file into two parts

entire file to a single event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?