The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Mutiplexing Feeds

Previous Topic: Setting sourcetype in props.conf on a Windows server | Next Topic: Display Results

Posts 1–1 of 1

posted by: mvanaswegen | posts
date: November 19, 2009
permalink

Hi Guys

I have a question. I previously solved a event mutiplexing problem using the Splunk header, which I've been advised is no longer supported at least in the way I was using it. I received events from numerous log files (time ordered). I inserted a header before each event indicating the host, source, etc. The feed looks something like this.

[date/time stamp] <tab> [severity] <tab> [filename] <tab> [event text]

The event text can be mutiple lines. In such a case the event text will contain new lines \n.

The reason I used the header was that I could programtically set the keys i.e. source=file:myapplication.log and just index the event text.

Is there a simple way to do this without the Splunk header?

Forums: SplunkAdministration: Mutiplexing Feeds

Description:

Permalink:

Splunk.com

Product:

Solutions:

Industries:

Partners:

About_us:

Support:

Services:

Videos

Download