I am trying to have separate BrkrName events.
I have a script ./iibqueuemonitor.sh that outputs:
EventType=Broker,BrkrName=MBIB001P01,Status=RUNNING
EventType=Broker,BrkrName=MBIB001P02,Status=RUNNING
But in Splunk Web, when I use this search:
index="test" source="iibqueuemonitor.sh" sourcetype="metro:iibcorpqmon" host="myhostcompany" EventType=Broker
It does not treat the 2 lines as independent events.
My inputs.conf looks like this:
[script://./bin/iibqueuemonitor.sh]
index = test
source = iibqueuemonitor.sh
sourcetype = metro:iibcorpqmon
interval = 60
disabled = 0
My props.conf:
3piib01 bin]# cat /opt/splunkforwarder/etc/apps/Metro_TA_iibcorp/local/props.conf
[metro:iibcorpqmon]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = EventType=
MUST_BREAK_AFTER
/opt/splunkforwarder/bin/splunk cmd btool props list metro:iibcorpqmon
[metro:iibcorpqmon]
ANNOTATE_PUNCT = True
BREAK_ONLY_BEFORE = EventType=
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRUNCATE = 10000
detect_trailing_nulls = false
maxDist = 100
priority =
sourcetype =
I tried it after changing /opt/splunkforwarder/etc/apps/Metro_TA_iibcorp/local/props.conf but it fails again to split the EventType.
[metro:iibcorpqmon]
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current
LINE_BREAKER=([\r\n]+)
Is the props.conf in the correct place?
... View more