Hello,
I'm trying to get some Tomcat Catalina logs to import correctly. Manually importing the files works fine, but isn't an option beyond the test I'm running. So, when I select "Add Data" from main dashboard, select "upload files from my computer", select my file and choose the log file, set the sourcetype as "application->catalina" I get the expected results:
Splunk Result 1:
2016-08-12 11:51:21,391 INFO [org.jasig.inspektr.audit.Slf5jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ${ticket}
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Fri Aug 12 12:51:21 CDT 2016
CLIENT IP ADDRESS: 123.45.6.78
SERVER IP ADDRESS: myserver.mydomain.com
============================================================
host = indexer1 source = cas-81216.log sourcetype = catalina
However, when I set up a forwarder and set up my inputs.conf as follows:
[monitor://C:\test_dir\]
index=my_test_index
sourcetype=catalina (I've tried "Catalina", and leaving this line out as well, none produced the desired results)
Every line (including the ======='s) is a separate Splunk result.
Splunk Result 1:
2016-08-12 11:51:21,391 INFO [org.jasig.inspektr.audit.Slf5jLoggingAuditTrailManager] - Audit trail record BEGIN
Splunk Result 2:
=============================================================
...etc.
So how do I get my forwarded results to not break on each line?
Thank you in advance for any help.
... View more