Hi all,
I've been absolutely stumped with a problem now for two days. I can't seem to get event breaks working for when a file is forwarded from a server, even though it seems to work with an exact copy of the same file as long as it's on the same machine as the indexer. Could anyone please take a look to see where I went wrong?
Sample Data:
(ORD_Area_Date) INFO(19May13@21:33:12:646) Updated entrydate: SYBRCH
(ORD_Area_Date) INFO(19May13@21:33:12:731) Loading market
(ORD_Area_Date) INFO(19May13@21:33:12:747) Historical market not there - use default
(ORD_Area_Date) INFO(19May13@21:33:12:836) Loading current market
I want each event to break at (ORD_Area_Date) (this pattern is used for multiple applications, so I cannot hard code to ORD_Area_Date - it needs to regex match a set of brackets with some words in the middle.
Machine 1: Forwarder - Unix
inputs.conf:
[monitor:///logs/areaDateService/*.log*]
disabled = false
index = tarsan_dev
sourcetype = tarsan_dby_HMSf
Machine 2: Indexer - Windows
props.conf:
[tarsan_dby_HMSf]
BREAK_ONLY_BEFORE = \(([A-Za-z1-9_\s]+))\s
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d%b%y@%H:%M:%S:%f
TIME_PREFIX = [A-Z]\(
pulldown_type = 1
Screenshots:
Image 1 - sourcetype stanza used in props.conf above works fine in Data Preview with the local copy
Image 2 - Event breaking works fine on local copy
Image 3 - Event breaking not working on forwarded logs
Other Notes:
Image 2 and Image 3 are both from the same Indexer and the same splunk web. However, the local copy is on the 'main' index and the forwarded log is being stored in 'tarsan_dev'.
Events from Image 2 and Image 3 both use and have access to the same sourcetype (tarsan_dby_HMSf). It just doesn't seem to work for forwarded logs.
Events highlighted in red are the same set of events, just one with proper event breaks and one without. Timestamps match.
Any help would be greatly appreciated. Please let me know if additional information is required.
... View more