Archive

need props.conf for custom log

Explorer

I have a custom log in the format where each new record has a entry followed by a pipe (|)

example log:
< date time> |

< date time> |

....

How do I get it to split records on the line that ends in pipe?

Tags (2)
0 Karma

Explorer

I am wondering about the xml payload aspect of it in my sample log I have two events each with an event def (ending in pipe) followed by a xml payload which can be 5 lines to maybe 50 lines max

< date time> |

< date time> |

does the line break on | and the line merge take care of having all of the xml payload in the same event"

0 Karma

SplunkTrust
SplunkTrust

Hi rileyken,

set in your props.conf for that sourcetype something like this:

LINE_BREAKER = \|

Maybe you also need to set

SHOULD_LINEMERGE = [true|false]
* Defaults to true.

to false.....

hope this helps ...

cheers, MuS