suj
Reputation: 529
Splunk monitor does not show entire file but only shows the first line
I am monitoring a file from linux host but splunk is showing only the first line. I want to display the entire file content. I will be running a script which will generate a file with multiple line everytime and I want to stream the entire file to splunk. The below is my config, am I missing something?
splunk:
monitors:
- index: "test-index"
file: "/path/my-data-*"
sourcetype: "testsource-{{profile.pipelineBuildNumber}}"
multiline_event_extra_waittime: "true"
Upvotes: 0
Views: 511
Answers (1)
suj
Reputation: 529
Added config to inputs.conf and props.conf, restarted splunk and it worked as expected.
input.conf
[monitor:///file*]
index = test-index
sourcetype = test-sourcetype
props.conf
[test-sourcetype]
DATETIME_CONFIG=CURRENT
HEADER_FIELD_LINE_NUMBER=1
FIELD_DELIMITER=,
FIELD_QUOTE="
ENDOFFILE
Upvotes: 2
Related Questions
- incorrect log feed in Splunk
- Splunk panel showing graph for a specific time range
- Splunk query not endswith
- Splunk produces a table with only one row
- Splunk viewing '_value' not using mcatalog
- stats latest not showing any value for field
- splunk is reporting each line of stacktrace as a separate event
- Splunk extracted field in dashboard
- Splunk post-process timecharts display "no results found" in dashboard, but query on its own is fine
- Splunk Error Log Dashboard