![]() ![]() The data is in this format with CRLF terminations after each line:ġ2-02-2016 15:02:13.567 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/tmp/testmetrics.txt'.ġ2-02-2016 15:03:02.914 DEBUG TailingProcessor - File state notification for path='/tmp/testmetrics.txt' (first time).ġ2-02-2016 15:03:03.059 DEBUG PropertiesMapConfig - Performing pattern matching for: source::/tmp/testmetrics.txtġ2-02-2016 15:03:03.059 DEBUG TailingProcessor - Skipping itemPath='/tmp/testmetrics.txt', does not match path='/proj/unix/cen/tools/splunkforwarder/etc/splunk.version' :Not a directory :Not a symlinkġ2-02-2016 15:03:03.059 DEBUG TailingProcessor - Skipping itemPath='/tmp/testmetrics.txt', does not match path='/proj/unix/cen/tools/splunkforwarder/var/log/splunk' :Not a directory :Not a symlinkġ2-02-2016 15:03:03.059 DEBUG TailingProcessor - Skipping itemPath='/tmp/testmetrics.txt', does not match path='/proj/unix/cen/tools/splunkforwarder/var/log/splunk/splunkd.log' :Not a directory :Not a symlinkġ2-02-2016 15:03:03.059 DEBUG TailingProcessor - Skipping itemPath='/tmp/testmetrics.txt', does not match path='/proj/unix/cen/tools/splunkforwarder/var/spool/splunk' :Not a directory :Not a symlinkġ2-02-2016 15:03:03.059 DEBUG TailingProcessor - Item '/tmp/testmetrics.txt' matches stanza: /tmp/testmetrics*.txt.ġ2-02-2016 15:03:03.059 DEBUG TailingProcessor - Will use CRC salt='/tmp/testmetrics.txt' for this source.ġ2-02-2016 15:03:03.059 DEBUG FilesystemFilter - Testing path=/tmp/testmetrics.txt(real=/tmp/testmetrics.txt) with global blacklisted pathsġ2-02-2016 15:03:03.059 DEBUG TailReader - Will attempt to read file: /tmp/testmetrics.txt.ġ2-02-2016 15:03:03.059 DEBUG FileClassifierManager - Finding type for file: /tmp/testmetrics.txtġ2-02-2016 15:03:03.059 DEBUG PropertiesMapConfig - Performing pattern matching for: source::/tmp/testmetrics.txt|test_priġ2-02-2016 15:03:03.059 DEBUG WatchedFile - Storing pending metadata for file=/tmp/testmetrics.txt, sourcetype=test_pri, charset=UTF-8ġ2-02-2016 15:03:03.059 DEBUG PropertiesMapConfig - Performing pattern matching for: source::/tmp/testmetrics.txt|host::testhost|test_pri|45ġ2-02-2016 15:03:03.060 DEBUG WatchedFile - Attempting to load indexed extractions config from conf=source::/tmp/testmetrics.txt|host::testhost|test_pri|45. I have tried with UF versions 6.1.2, and 6.4 running on Linux and Sun. ![]() However, when I add the nf to the UF's, no data is indexed. I have a nf on the indexer, but it's my understanding that the indexer does not parse forwarded structured data. If I omit the nf file on the Universal Forwarder (UF), the entire psv file gets indexed as one event without any parsing. I have a customer that wants to index psv files with headers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |