I've managed to make it working by updating \etc\system\local\props.conf
[multiline.txt]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = USER_*
However, taking one step forward, I'm trying to use a transform to change the name of the sourcetype. Hence, my \etc\system\local\props.conf looks like the following
[multiline.txt]
TRANSFORM-changesourcetype = setsourcetype
[UserAccount]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = USER_*
While my \etc\system\local\transforms.conf looks like this
[setsourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = USERACCOUNT
FORMAT = sourcetype::UserAccount
** I'm able to see the new sourcetype being created. However, the line merge is failing to work now!! I suspect its because when Splunk reads props.conf, the UserAccount sourcetype has not been created yet so it wasnt able to set the BREAK_ONLY_BEFORE field.
Can someone confirm my fears?? And how can this be overcome?
... View more