Archive
Highlighted

Why is the event break not working when there is a new line?

Explorer

Sample data:

    {
      "sensorName": "test1"
    }
    {
      "sensorName": "test2"
    }
    {
      "sensorName": "test3"
}

Tried several regex patterns and none will show as working in the Add Data screen. Same patterns work on regex websites.

0 Karma
Highlighted

Re: Why is the event break not working when there is a new line?

SplunkTrust
SplunkTrust

Try with following

SHOULD_LINEMERGE = false
LINE_BREAKER = (\r\n]+)(?\{)
0 Karma
Highlighted

Re: Why is the event break not working when there is a new line?

Splunk Employee
Splunk Employee

Your data looks like json, check what is your sourcetype (and if on the forwarder it has a INDEXED_EXTRACTIONS=json in props.conf for the sourcetype)
If it's the case we should expect an automatic json event breaking.

0 Karma