How do I line break this data source?

BlakeDC · ‎05-13-2016

ComputerTarget=EDITED; NeededCount=31; DownloadedCount=0; NotApplicableCount=82225; NotInstalledCount=31; InstalledCount=32; FailedCount=0
ComputerTarget=EDITED; NeededCount=202; DownloadedCount=0; NotApplicableCount=81555; NotInstalledCount=202; InstalledCount=154; FailedCount=0
ComputerTarget=EDITED; NeededCount=203; DownloadedCount=0; NotApplicableCount=81921; NotInstalledCount=203; InstalledCount=156; FailedCount=0

This is my data source. I have it setup in props.conf to linebreak after FailedCount=####### but it doesn't seem to be working (data never reaches Splunk unless I remove the props settings).

Here's my props:

[NeededCount]
CHARSET = UTF-16LE
is_valid = True
SHOULD_LINEMERGE = True
MUST_BREAK_AFTER = (FailedCount=\d{1,10})

I need help in making sure it'll break after that failedcount=#### so that each line shows up in Splunk as its own event and not just a giant event of 130+ lines.

mosman_splunk · ‎05-13-2016

LINE_BREAKER=(FailedCount=\d+)\s+ComputerTarget
SHOULD_LINEMERGE = false

Good luck

ltawfall · ‎05-13-2016

Does the file have newlines?

LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE = false

generally works.

BlakeDC · ‎05-13-2016

It's a powershell output to a file. It's basically all the lines at once.

I've tried to default which you pasted above but when I do that no data is showing up in splunk 😞

BlakeDC · ‎05-13-2016

I added a "`n" to the end of the output file so each line now has a hard break inserted. It shows up now but it's still just one single event instead of an event for each line 😞

It basically thinks I have 300 fields in this log and I can't parse!

ltawfall · ‎05-16-2016

bah.. I need to actual output file to to get this correctly. I've had to do a lot of weird line parsing lately, so it's fresh in the brain.

How do I line break this data source?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms