Thanks @shahid285
this how i will try to resolve
Step 1: clear all the indexs for this source type [aci-inventory]
step 2: remove any bucket copies of index (optional)
step 3: create a source type [aci-inventory] on the forwader
step 4: open prop.conf and first get the date right
[aci-inventory]
pulldown_type = true
KV_MODE = json
description = For indexing JSON comments
category = Custom
BREAK_ONLY_BEFORE = {(")ca
TIME_PREFIX = \"requested_on\":\s
TRUNCATE = 0
LINE_BREAKER = }(,){(")ca
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d %H:%M
disabled = false
SEDCMD-remove = s/{\"imdata\":\s[{/{/g
SEDCMD-find_and_replace = s/}]}]}/}]}/1
Step 5: save props.conf and restart splunk
step 6: push data
Step 7 : check data on search head
just tune the above -- take few runs to get right.
thats it ..
give it a go bro
thanks
... View more