Problem finding title to use for my BREAK_ONLY_BEF...

robinBonin · ‎09-30-2011

I have an exe that I am calling as a script input. The data is being indexed, but I need the messages to be indexed as multiple lines per event, and each line is being indexed as a event. I was using a specific BREAK_ONLY_BEFORE property, and it was working correctly (previous version of splunk). My problem is I don't know what [header] to place the rule under.

I have the sourcetype set to iis, source is called Email
Ive tried every combination I can thing of.
[iis], [Email], [sourcetype:iis], [script] etc...

Any thoughts on what I can try?

[script] BREAK_ONLY_BEFORE = Date BREAK_ONLY_BEFORE = ###_End_Of_Mail_Message_###

bbingham · ‎10-01-2011

Breaks need to be placed in the props.conf. I assume in your inputs.conf your forcing the sourcetype to iss? If so,

inputs.conf
[script://blah.exe]
sourcetype = iis


props.conf
[iis]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = Date
BREAK_ONLY_BEFORE = ###_End_Of_Mail_Message_###

you can also do this by the source as well,

props.conf
[source::Email]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = Date
BREAK_ONLY_BEFORE = ###_End_Of_Mail_Message_###

That being said, you can only use 1 break_only_before block. If you want to do "or" type clauses, use the "|" delimiter

(Date)|(###_End_Of_Mail_Message_###)

or did you mean to type:

BREAK_ONLY_AFTER = ###_End_Of_Mail_Message_###

Problem finding title to use for my BREAK_ONLY_BEFORE

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!