Solved: MUST_BREAK_AFTER -How to give for multiple values

splunkatl · ‎09-07-2012

I have log where each transaction ends with either of one below lines

SignaturePolicy: BINDING_DEFAULT

SignatureStatus: BINDING_DEFAULT

EXCEPTION

can we give multiple values in MUST_BREAK_AFTER configuration.In splunk doc it didnot say it can configure with muliple values.

gkanapathy · ‎09-07-2012

No you can not. However, the value you provide regular expression, which can express any number of terms.

narwhal · ‎09-07-2012

Right, so something kind of like this I think:

MUST_BREAK_AFTER = (SignaturePolicy:\sBINDING_DEFAULT$)|(SignatureStatus:\sBINDING_DEFAULT$)|(EXCEPTION)

sbrant_splunk · ‎09-07-2012

Have you tried something like this?

MUST_BREAK_AFTER = Signature(Policy|Status):\sBINDING_DEFAULT|EXCEPTION

splunkatl · ‎09-07-2012

ok,thanks for giving answer so quickly

gkanapathy · ‎09-07-2012

No you can not. However, the value you provide regular expression, which can express any number of terms.

MUST_BREAK_AFTER -How to give for multiple values