Dear @sainag_splunk I tried using the below props.conf: DATETIME_CONFIG = KV_MODE = json LINE_BREAKER = (?:,)([\r\n]+)) NO_BINARY_CHECK = true TIMESTAMP_FIELDS = _time TIME_FORMAT = %2Y%m%d%H...
See more...
Dear @sainag_splunk I tried using the below props.conf: DATETIME_CONFIG = KV_MODE = json LINE_BREAKER = (?:,)([\r\n]+)) NO_BINARY_CHECK = true TIMESTAMP_FIELDS = _time TIME_FORMAT = %2Y%m%d%H%M%S TRUNCATE = 0 category = Structured description = my json type without truncate disabled = false pulldown_type = 1 MAX_EVENTS=1000000 SHOULD_LINE_MERGE = false But is was same. Umm... I wonder something for your answer, I applied it deployer server, It will deploy to apps for all of Universal Forwarder. So if I set the inputs.conf as a below: [batch://C:\splunk\my_data\*.json] index=myIndex sourcetype=my_json crcSalt=<SOURCE> move_policy = sinkhole The app which address this inputs.conf has above props.conf. However, your answer's concept is not this applied, isn't it? How to apply your answer in my system..? I hope you help me in detail, I'm sorry for I'm begineer in splunk. My system has 3 search heads, 1 is splunk app, 2 is cluster master and 3 is deployer. In this, 5 indexers.. So the client which is installed UF will send the data to 5 indexers with L/B, and We search in 3 search heads, the results are shown. Please help me, Thank you.