<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: props/transforms.conf in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416369#M73559</link>
    <description>&lt;P&gt;In your props.conf for this sourcetype, you could try using a line_breaker to split, assuming all events start with "Premise="&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Premise=
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Wed, 23 May 2018 18:44:52 GMT</pubDate>
    <dc:creator>solarboyz1</dc:creator>
    <dc:date>2018-05-23T18:44:52Z</dc:date>
    <item>
      <title>props/transforms.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416368#M73558</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have the below data and I know that props and/or transforms.conf need to be modified to have the below report as 1 event.  I'm not that familiar with how props/transforms.conf work since we have Splunk Cloud and have never modified them.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Premise= 135019
Name= Front Door
    IP= 172.16.12.103
    ID= 1
    Mac= E8:F2:E2:2D:CB:73
    FW Ver= 0.9.2.1708101
    Manufacturer= LGInnotek
    Model= Titan
    Video Size= LARGE
    Verified= true
    RSSI= -79 dB
    Supported Video Formats= [MJPEG, FLV, RTSP]
    Supported Video Codecs= [H264, MPEG4]
    FLV URL= &lt;A href="https://172.16.12.103:80/openhome/streaming/channels/0/flv" target="test_blank"&gt;https://172.16.12.103:80/openhome/streaming/channels/0/flv&lt;/A&gt;
    MJPEG URL= &lt;A href="https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg" target="test_blank"&gt;https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg&lt;/A&gt;
    API Version= 3.3.7
    MotionTurnedOn= true
    MotionSensitivy= 1 (LOW)
    Local Video Aspect Ratio= 16:9
    Local Video Resolution= 1280:720
    Remote Video Aspect Ratio= 16:9
    Remote Video Resolution= 1280:720
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 23 May 2018 18:18:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416368#M73558</guid>
      <dc:creator>dbcase</dc:creator>
      <dc:date>2018-05-23T18:18:41Z</dc:date>
    </item>
    <item>
      <title>Re: props/transforms.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416369#M73559</link>
      <description>&lt;P&gt;In your props.conf for this sourcetype, you could try using a line_breaker to split, assuming all events start with "Premise="&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Premise=
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 23 May 2018 18:44:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416369#M73559</guid>
      <dc:creator>solarboyz1</dc:creator>
      <dc:date>2018-05-23T18:44:52Z</dc:date>
    </item>
    <item>
      <title>Re: props/transforms.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416370#M73560</link>
      <description>&lt;P&gt;Assuming your logs always starts with &lt;CODE&gt;Permise=..&lt;/CODE&gt;, try this&lt;/P&gt;

&lt;P&gt;props.conf on Indexer/HF&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 23 May 2018 18:51:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/props-transforms-conf/m-p/416370#M73560</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2018-05-23T18:51:55Z</dc:date>
    </item>
  </channel>
</rss>

