Hello –
New to Splunk. I’ve searched the community, but may not be using the correct wording to find an answer. See the example below of a log file I’m feeding into Splunk. Each event starts at the time stamp and ends after the “blah, blah”. When I search the log in Splunk, it’s showing multiple events together. How do I go about getting Splunk to see them as individual events?
09:16:54,126 DEBUG [Thread-1646678] Version: 0.2
Message Format: X12
Message Type: 271_Response_005010X279A1
Status:
Body Length: 2128
ISA blah blah blah ect
09:18:57,357 DEBUG [Thread-1646478] Version: 0.2
Message Format: X12
Message Type: 271_Response_005010X279A1
Status:
Body Length: 2128
ISA blah blah blah ect
Splunk distinguishes each event based on the LINE_BREAKER property set for that sourcetype in props.conf. props.conf should be on your indexer(s)
http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Propsconf