Hi,
I am testing splunk config from my local machine before implementing it in production. So i am indexing a json file of about 5000 lines. However when it is indexed I get one event with about 138 lines only if I turn SHOULD_LINEMERGE = true in props.conf. If I set it to false , I get about 218 events with each event about 2-3 lines. How can I get splunk to index the entire lines , I don't really care if it shows as one event or as multiple events. I just want to see the entire content of the file. Here is my props.conf.
default]
CHARSET = UTF-8
LINE_BREAKER_LOOKBEHIND = 100
LINE_BREAKER =
TRUNCATE = 100000000000000000000
DATETIME_CONFIG = /etc/datetime.xml
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = True
HEADER_MODE =
MATCH_LIMIT = 100000
DEPTH_LIMIT = 1000
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=2000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = Path=
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 6000000
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
TRANSFORMS =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
LEARN_SOURCETYPE = true
LEARN_MODEL = true
maxDist = 100
AUTO_KV_JSON = true
detect_trailing_nulls = false
sourcetype =
priority =
↧