Hello,
Would anyone know how to make sure that splunk index all lines in a file?
The problem I have is that for a file having the following lines
I:11-09-29 14:58:23:Processing P&L on "T14207068"
I:11-09-29 14:58:23:Getting CVL AK for trade cont_id="14207068", trad_type="SEC", trade_ldt="26-Sep-2011 14:56:25", cp="EXEC", ca="O"
I:11-09-29 14:58:23:Getting CVL AK for trade cont_id="", trad_type="", trade_ldt="", cp="", ca=""
I:11-09-29 14:58:23:Posn ld="26-SEP-2011", tt="SEC", bk="41208", str="NONE", cont="-126", subcont="-126", isec="8274", ccy="GBP", cp="EXEC", pt="N", cvi="6000"
I:11-09-29 14:58:23:Posn ld="26-SEP-2011", tt="SEC", bk="41208", str="NONE", cont="-126", subcont="-126", isec="8274", ccy="GBP", cp="EXEC", pt="USD", cvi="6000"
is indexed only as:
I:11-09-29 14:58:23:Processing P&L on "T14207068"
I:11-09-29 14:58:23:Getting CVL AK for trade cont_id="", trad_type="", trade_ldt="", cp="", ca=""
I'm using light forwarder (4.2.0) and the inputs.conf file is very simple:
[monitor://<path to log file>.log]
disabled = 0
followTail = 1
sourcetype = DB_CNVW_Log
index = bfm_log
I tried the crcSalt = as well just in case, but didn't help.
On the server side (Splunk 4.2.3), the props.conf is:
[DB_CNVW_Log]
SHOULD_LINEMERGE = false
and there is no transforms.conf for this sourcetype.
Just for information, I'm using 4.2.0 for Light Forwarder because of a bug with wmi.conf in 4.2.1+.
Regards,
Olivier
... View more