I have a sourcetype that requires "SHOULD LINEMERGE=False" and I'm attempting to break out a multi-line event in that sourcetype.
Basically, I'm attempting to capture the entire 'stack dump' as a single event in splunk. I thought line breaker would be a good method, however reading the documentation, it may not be a good fit.
Does anyone have any ideas on how to extract a multi-line stack dump into a single event?
This is an example of a dump:
You could put the following in props.conf
[yoursourcetypehere]
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE=-- Memory Info Start --