i have multi line log and i want to split it line by line
i do following props.conf configaration:
[df]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MUST_BREAK_AFTER = ([\n]+)
i set it in application default directory and also in /opt/splunk/etc/system/local/props.conf
it doesnt work
log example:
Filesystem Type Size Used Avail UsePct MountedOn
udev devtmpfs 10M 0 10M 0% /dev
/dev/dm-0 ext4 95G 6.5G 84G 8% /
/dev/fuse fuse 30M 44K 30M 1% /etc/pve
/dev/sdb1 xfs 927G 285G 642G 31% /var/lib/ceph/osd/ceph-3
/dev/sdc1 xfs 927G 292G 635G 32% /var/lib/ceph/osd/ceph-4
/dev/sdd1 xfs 927G 312G 615G 34% /var/lib/ceph/osd/ceph-5
10. :/BACKUP nfs 3.6T 2.9T 756G 80% /mnt/pve/backup
after i restart the splunk its work.
i think line break doenst work if we set propf.conf in the app default directory
after i restart the splunk its work.
i think line break doenst work if we set propf.conf in the app default directory
If you do .conf changes while Splunk is running, Splunk ignores them until it's told "I'm done editing, go use this now" - most obvious way is a restart.
Line breaking in etc/apps/some_name/default works well, else no TA off splunkbase could ever do line breaking.