Splunk queries

anandhalagarasa · ‎09-08-2017

General queries

woodcock · ‎09-09-2017

Try this

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = !%&#ThisIsGarbageRegexThatWillNeverMatch!%&#

cpetterborg · ‎09-08-2017

Also see:

https://answers.splunk.com/answers/568022/is-there-an-option-to-do-an-event-break-at-the-end.html#an...

Which is very similar and was asked recently.

gcusello · ‎09-08-2017

Hi anandhalagarasan,
you have to insert in your sourcetype stanza of your props.conf the option SHOULD_LINEMERGE= true and maybe identify start point event.
I suggest to download an example of your configuration files and try to ingest it using the web interface, in this way you can immediately set your sourcetype.
Bye.
Giuseppe

anandhalagarasa · ‎09-08-2017

So kindly help on this request.

cpetterborg · ‎11-15-2017

You have edited your question to be completely useless in any context. Why did you do that?

It is also bad form to down vote a response that is not incorrect, even if it doesn't directly answer your question. If it is still correct, then you should not down vote an answer.

It is also GOOD form to accept an answer that does answer your question.

Splunk queries

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!