I am not able to get this working.My case..I have Universal forwarder 6.0. ..and I see in the docs that structured data parsing is done at universal forwarder side.and did changes to props.conf and transforms.conf as above but I could still see too_small files at splunk enterprise.
My inputs.conf is something like this.
[monitor:///var/log/]
whitelist=.log$
recurse=true
Which monitors everything which ends with .log .
And props.conf settings are something like this
[source::/var/log/kafka/server.log]
sourcetype = kafka_server
[source::/var/log/kafka/state-change.log]
sourcetype = kafka_state
[source::/var/log/kakfa/controller.log]
sourcetype = test_controller
[[(?::){0}*-too_small]]
TRANSFORMS-remove_too_small = remove_too_small
and
transforms.conf is same as above
I see at splunk enterprise side..controller-too_small..which is the automatically assigned sourcetype by splunk for /var/log/kafka/controller.log.
Any help would be appreciated
... View more