I want configuration so that events are divided on the basis of time prefix @
and timestamp configuration %H:%M:%S.%3N
. Each event starts with this config and not in middle of an event.
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)@
expected =====>
@13:38:06.9061 [ISCC] [connection 7fe1807fbed0] connecting [0]1
@13:38:06.9066 [ISCC] SERVER: (EMEA_IRL_ORK_TSvr_B) set cluster info1
@13:38:06.9068 [ISCC] SERVER: (EMEA_IRL_ORK_TSvr_B) set cluster info2
But splunk is breaking following event as well:
-AI[t/o:90000,trace]->-42 @13:38:06.8883
If you could post 2 or 3 example events, we could help further.
you can define your own linebreaks. Please refer the link below:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents