legal contact
 

inputs.conf

Just as usual.

For reading the lastest captured messages:

[monitor:///data/Discord/*.json]
disabled = 0
crcSalt = <SOURCE>
recursive = false
followTail = 1
host_segment = 3
index = discord
sourcetype = Discord_message_mon
host =

And for reading the files that might have been published already:

[monitor:///data/Discord/Discord_Feed.json_Files/]
crcSalt = <SOURCE>
disabled = 0
host_segment = 4
index = leak
sourcetype = leak:discord
whitelist = .*\.csv$|.*\.txt$
host =



props.conf

[Discord_message_mon]
BREAK_ONLY_BEFORE_DATE =
DATETIME_CONFIG = timestamp
INDEXED_EXTRACTIONS = json
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 512
NO_BINARY_CHECK = true
SEDCMD-strip_prefix = s/^[^{]+//g
SHOULD_LINEMERG = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%Q%::z"
disabled = false
pulldown_type = 1

And while you are in a deployment managed environment, don't forget the "/opt/splunk/bin/splunk reload deploy-server" after changes...  ;-)