×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mstodola
New Member
Member since: ‎03-14-2025
‎03-14-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-14-2025
Activity Feed
Topics I've Started
View All

Re: Line breaking source types

by in Getting Data In
‎03-14-2025 07:55 AM
‎03-14-2025 07:55 AM
For 1-5, my conclusion is that I should add the following stanza in /opt/splunk/etc/apps/Splunk_TA_zeek/local/props.conf: [source::/zeek/logs/current/conn.log] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) and repeat for any other sources having the issue. In regards to 6, I have a universal forwarder monitoring the ./zeek/logs/current/ directory and forwarding directly to all the indexers. ... View more

Line breaking source types

by in Getting Data In
‎03-14-2025 07:09 AM
‎03-14-2025 07:09 AM
I am trying to fix the issue of my zeek logs not being broken into separate events. These logs are in json format and start with '{"ts":' and end with '}' (excluding single quotes). Given they are on separate lines, I would expect the code below to work. # In /opt/splunk/etc/system/local/props.conf # which I copied from the ../default/props.conf [default] ... LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = True ...  At this point I think my issue may be not knowing which stanza to place that in. I do have the SPLUNK_TA_ZEEK add-on, but that is in a specific app (not S&R). Looking under sourcetypes in the Web UI, there are zeek, zeek:conn, bro, bro_conn, etc sourcetypes, but my sourcetypes in my events are zeek_conn, etc. I went ahead and applied the above code to zeek, zeek:conn, bro, and bro_conn. TLDR: 1. What stanza do I edit? 2. Is the code snippet the correct settings? 3. Do I need to restart the cluster to apply these changes? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-14-2025 07:26 PM