Home/ Questions/Q 1958
Answered
Garry Christan
Asked: 2022-07-25T07:01:20+00:00

Splunk monitor does not show entire file but only shows the first line

I am monitoring a file from linux host but splunk is showing only the first line. I want to display the entire file content. I will be running a script which will generate a file with multiple line everytime and I want to stream the entire file to splunk. The below is my config, am I missing something?

splunk:
            monitors:
              - index: "test-index"
                file: "/path/my-data-*"
                sourcetype: "testsource-{{profile.pipelineBuildNumber}}"
                multiline_event_extra_waittime: "true"
splunk
Share

1 Answer

  1. Best Answer

    Added config to inputs.conf and props.conf, restarted splunk and it worked as expected.

    input.conf

    [monitor:///file*]
index = test-index
sourcetype = test-sourcetype

    props.conf

    [test-sourcetype]
DATETIME_CONFIG=CURRENT
HEADER_FIELD_LINE_NUMBER=1
FIELD_DELIMITER=,
FIELD_QUOTE="
ENDOFFILE
    • 0

Leave an answer

You must login to add an answer.

Need An Account,