Hi,
I need help with props.conf for line/event breaks, the log has to be split by MsgId="LOGON" event followed by 8 MsgId="WSECL". below is an example how it should look like. As of now events are merged.
basically event should break between 2 LOGON MsgId's
11:08:36.472 -I [REQ MsgId="LOGON" UId="XYZ123"]
11:08:36.512 -I [REP MsgId="LOGON" Tkn="12XYZ12" UId="XYZ123"]
11:08:36.518 -I [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.524 -I [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.529 -I [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.534 -I [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.538 -I [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.544 -I [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.547 -I [REQ MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.551 -I [REP MsgId="WSECL" Tkn="12XYZ12"]
11:08:36.686 -I [REQ MsgId="ISACTIVE" Tkn="12XYZ12"]
11:08:36.686 -I [REP MsgId="ISACTIVE" Tkn="12XYZ12"]
Thanks for you help
The default linebreaker is fine. Just make sure that you are assigning it a sourcetype
inside of inputs.conf
and then inside of props.conf
, do this:
[YourSourcetypeHere]
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE = false
Then deploy to the indexing entities (usually Indexers) and restart all splunkd instances there. Verify by ONLY checking events indexed AFTER the restarts.