Hi everyone, I'm stuck with an issue I can't understand... I created an app that use a custom alert action which generate events to log (this is generating a file under $SPLUNK_HOME$/var/spool/). An example of the file could be: Name: 1664448416_92764.stash_sourcetype1 ***SPLUNK*** index="myindex" host="Host1" source="Source1"
==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==
{...event...} I have setup an input.conf which is looking for this file: [batch://$SPLUNK_HOME/var/spool/splunk/...stash_sourcetype1]
queue = stashparsing
sourcetype = stash_sourcetype1
move_policy = sinkhole
crcSalt = <SOURCE> Under my props.conf, I have : [stash_sourcetype1]
TRUNCATE = 0
# only look for ***SPLUNK*** on the first line
HEADER_MODE = firstline
# we can summary index past data, but rarely future data
MAX_DAYS_AGO = 10000
# 5 years difference between two events
MAX_DIFF_SECS_AGO = 155520000
MAX_DIFF_SECS_HENCE = 155520000
TIME_PREFIX = (?m)^\*{3}Common\sAction\sModel\*{3}.*$
MAX_TIMESTAMP_LOOKAHEAD = 25
LEARN_MODEL = false
# break .stash_new custom format into events
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false
LINE_BREAKER = (\r?\n==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n)
KV_MODE = json
TRANSFORMS-0parse_cam_header = orig_action_name_for_stash_cam,orig_sid_for_stash_cam,orig_rid_for_stash_cam,sourcetype_for_stash_cam
TRANSFORMS-1sinkhole_cam_header = sinkhole_cam_header As you can see, I have configured my props.conf to read the first line "***SPLUNK***" in order to recover the index, host and source. However, it continues to log all logs in the "main" index and use default values for "source" and "host". It's like it's ignoring this directive whereas it should take it into account. Does someone knows why it's ignoring this directive please ? I can't find so much documentation on this issue... For your information, I'm working on a standalone version of Splunk Enterprise. Thank you EDIT: I've just noticed that my events are indexed using the sourcetype "stash_sourcetype1-too_small", this can be the reason why but why is it adding the "too_small" and how can I prevent it ?
... View more