How to edit my props.conf to line break my sample ...

shivarpith · ‎05-18-2017

Hi,

I need help with props.conf for line/event breaks, the log has to be split by MsgId="LOGON" event followed by 8 MsgId="WSECL". below is an example how it should look like. As of now events are merged.

basically event should break between 2 LOGON MsgId's

11:08:36.472  -I  [REQ MsgId="LOGON" UId="XYZ123"]
11:08:36.512  -I  [REP MsgId="LOGON" Tkn="12XYZ12" UId="XYZ123"]
11:08:36.518  -I  [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.524  -I  [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.529  -I  [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.534  -I  [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.538  -I  [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.544  -I  [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.547  -I  [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.551  -I  [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.686  -I  [REQ MsgId="ISACTIVE" Tkn="12XYZ12"]
11:08:36.686  -I  [REP MsgId="ISACTIVE" Tkn="12XYZ12"]

Thanks for you help

woodcock · ‎05-18-2017

The default linebreaker is fine. Just make sure that you are assigning it a sourcetype inside of inputs.conf and then inside of props.conf, do this:

[YourSourcetypeHere]
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE = false

Then deploy to the indexing entities (usually Indexers) and restart all splunkd instances there. Verify by ONLY checking events indexed AFTER the restarts.

How to edit my props.conf to line break my sample data instead of merging events?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor