Solved: line breaking

srinathd · ‎10-08-2013

Need to break a log file into multiple events while indexing if there are no newline characters
sample log file data:
\xE1\xA\x01\x00RFD \x00\x00\x00\x1\x00\x00\x7\x00\x00\x00\x3\x11\x00\x00\x33MQSIR \x00\x00\x00\x00\x00\x00\x4\xB8\x00\x00\x01HTestINF/LI/Item/Tested \x00\x00\x6\x7CYSRINATH 00000153311234ABCD 2013-10-03-02.33.51.750348ANDHRA IND AP 12.123+ 12.123+ \xE2\xB\x02\x00RFO \x00\x00\x00\x2\x00\x00\x7\x00\x00\x00\x3\x12\x00\x00\x34MQSJR \x00\x00\x00\x00\x00\x00\x4\xB8\x00\x00\x02HTestINF/LI/Item/Tested \x00\x00\x6\x8CYSRINATH 00001483531234ABCD 2013-10-03-02.33.52.033155ANDHRA IND AP 12.123+ 12.123+

Highlighted text is the starting of second event in the log

alacercogitatus · ‎10-08-2013

You can try setting the line breaker in props.conf. This regex will look for whitespace at least 35 characters long, and then split the line. This will require a restart of Splunk.

[my_sourcetype] LINE_BREAKER = (\s{35,})

View solution in original post

alacercogitatus · ‎10-08-2013

You can try setting the line breaker in props.conf. This regex will look for whitespace at least 35 characters long, and then split the line. This will require a restart of Splunk.

[my_sourcetype] LINE_BREAKER = (\s{35,})

line breaking

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!