I am attempting to parse windows DHCP data, for those who aren't familiar with the format, the logs have a description which never changes from lines 1-32 of every file, on line 33 is the header and then from there is the data in csv format, delimited by a comma. My props.conf definition is below,
[dhcp:script_output]
HEADER_FIELD_LINE_NUMBER=33
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Structured
description=DHCP CSV
disabled=false
pulldown_type=true
This works flawlessly when I manually upload this on the GUI on my searchead, but when I place it in the props.conf file on my indexers, it doesn't parse the data. It just treats one line as one event. Is there something obvious I am missing ?
↧
sourcetype isn't parsing DHCP data correctlyon indexer but does when I manually add on search head
↧