inputs.conf
Just as usual.
For reading the lastest captured messages:
[monitor:///data/Discord/*.json]
disabled = 0
crcSalt = <SOURCE>
recursive = false
followTail = 1
host_segment = 3
index = discord
sourcetype = Discord_message_mon
host =
And for reading the files that might have been published already:
[monitor:///data/Discord/Discord_Feed.json_Files/]
crcSalt = <SOURCE>
disabled = 0
host_segment = 4
index = leak
sourcetype = leak:discord
whitelist = .*\.csv$|.*\.txt$
host =
props.conf
[Discord_message_mon]
BREAK_ONLY_BEFORE_DATE =
DATETIME_CONFIG = timestamp
INDEXED_EXTRACTIONS = json
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 512
NO_BINARY_CHECK = true
SEDCMD-strip_prefix = s/^[^{]+//g
SHOULD_LINEMERG = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%Q%::z"
disabled = false
pulldown_type = 1
And while you are in a deployment managed environment, don't forget the "/opt/splunk/bin/splunk reload deploy-server" after changes... ;-)