I have many events of 500 lines. Only first 10 lines are important. How to truncate or discard or ignore the remaining lines before indexing?
When I use MAX_EVENTS in props.conf, Splunk breaks event after 10 lines and creats new event. Tried using BREAK_ONLY_BEFORE, LINEBREAK but nothing seems working.
Please suggest props.conf entry to index only 10 lines from event.
Thanks for the reply.
I am indexing file from Web UI. I created props.conf and transforms.conf in default directory as mentioned.
Restarted Splunk. Then, when I select sourcetype as" testSourceType", I see transforms name in Advance but the right hand side prieview still shows large events and not discarding lines after 10.