I'm new to splunk, but I've been working for 3 days straight to figure out how to simply input a log and have Splunk index each line as an individual event. Unfortunately, it seems to group random numbers of lines together into individual groups. Can anyone point me in the right directtion?
Some details: the file is a snort "barnyard2" fast_alert file. It has one entry per line, here is a sample:
---
11/15-21:44:11.545196 [] [1:466:5] ICMP L3retriever Ping [] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} XXX.XXX.18 -> YYY.YYY.6
11/15-21:44:12.295033 [] [1:1448:13] MISC MS Terminal server request [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} XXX.XXX1.18:23249 -> YYY.YYY.6:3389
11/15-21:44:30.470828 [] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [] [Classification: Misc activity] [Priority: 3] {ICMP} ZZZ.ZZZ.10 -> xxx.xxx.xxx.xxx
--
The format is very simple, 1 line a piece, starts with time stamp, ends with src and dest IPs . But when I suck it into Splunk, it groups the lines together into random groups. I need them each to be an individual event.
Thanks,
KD