|
When i try to train splunk to automatically recognize files of a given type, I get the following: Am I doing this wrong? Is there a workaround? |
One Answer:
|
Firstly, for many cases, applying sourcetypes by file pattern can be preferable to content-based recognition. The file pattern rules are easier to audit. This can be done via overlapping input stanzas (in 4.1+), or by source:: regex-like patterns in props.conf. If you do have the need to apply sourcetypes by content, then the train command is busted (SPL-31078), but it's just a candy wrapper over the following, which you can use directly for full effect: If you're trying to use train to recognize timestamps, I generally recommend using TIME_FORMAT instead. |