Hi All, I have setup a universal forwarder in windows machine to monitor static file which is in json format. The logs are being forwarded but the point is it is forwarded as single event like ...
See more...
Hi All, I have setup a universal forwarder in windows machine to monitor static file which is in json format. The logs are being forwarded but the point is it is forwarded as single event like below :
{"Env": "someenv12”, "Name": "test12”, "feature": "TestFeature12”, "logLevel": "info", "Id": "1234", "date": 1652187242.57, "productName": “testproduct”, "process_name": “test process, "pid": 695, "process_status": "sleeping", "process_cpu_usage": 0.0, "process_ram_usage": 0.0, "metric_type": "system_process"}
{"Env": "someenv1”3, "Name": "test13”, "feature": "TestFeature12”, "logLevel": “error”, "Id": "234", "date": 1652187342.57, "productName": “testproduct12”, "process_name": “test process, "pid": 685, "process_status": "sleeping", "process_cpu_usage": 0.0, "process_ram_usage": 0.0, "metric_type": “application_process}
{"Env": "someenv14”, "Name": "test14”, "feature": "TestFeature13”, “info”: “error”, "Id": "2344", "date": 1672187342.57, "productName": “testproduct13”, "process_name": “test process, "pid": 695, "process_status": "sleeping", "process_cpu_usage": 0.0, "process_ram_usage": 0.0, "metric_type": “security”}
This entire thing is coming as one event. I have applied line breakers in props.conf file :
[test_sourcetype]
SHOULD_LINEMERGE =false
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE={"Env"
MUST_BREAK_AFTER=\"\}
TIME_PREFIX=date
TIMEFORMAT=%s%4N
MAX_TIMESTAMP_LOOKAHEAD = 14
I have added it under /SplunkUniversalForwarder/etc/apps/splunk_TA_windows app/local/props. None of my line breaking is getting applied , please help me on this. Should I add props.conf under default folder ? Regards, NVP