I have an exe that I am calling as a script input. The data is being indexed, but I need the messages to be indexed as multiple lines per event, and each line is being indexed as a event. I was using a specific BREAK_ONLY_BEFORE property, and it was working correctly (previous version of splunk). My problem is I don't know what [header] to place the rule under.
I have the sourcetype set to iis , source is called Email
Ive tried every combination I can thing of.
[iis], [Email], [sourcetype:iis], [script] etc...
Any thoughts on what I can try?
[script]
BREAK_ONLY_BEFORE = Date
BREAK_ONLY_BEFORE = ###_End_Of_Mail_Message_###
... View more