Solved: How do I edit my props.conf to break multiline eve...

Rimah · ‎07-22-2015

Hello;

I found a problem breaking multiline events in Splunk. I need to break events that have this format:

Events: {"ext, "aaaaaaaaaaaaaaaaaaaaa","":"2"}< >{""ext, "aaaaaaaaaaaaaaaaaaaaa","":"3"}

In the props.conf file, I added these lines, but it's not breaking those events:

[stash]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
BREAK_ONLY_AFTER = (}< >)
SHOULD_LINEMERGE = TRUE

I will appreciate all your help!

Thank you

richgalloway · ‎07-22-2015

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-22-2015

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

Rimah · ‎07-23-2015

Thank you very much , by adding this lines i can break this envents .

How do I edit my props.conf to break multiline events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!