Hi,
My access logs are showing as single event,it should show as different events.
I need each line as single event.
Example:
8/8/12
8:42:31.000 AM
10.127.77.58 - - [08/Aug/2012:04:42:31 -0400] "GET / HTTP/1.1" 500 538 "-" "OpenNMS HttpMonitor"
10.127.77.58 - - [08/Aug/2012:04:42:31 -0400] "GET / HTTP/1.1" 500 538 "-" "OpenNMS HttpMonitor"
If your data source will never have multi-line events, you can set SHOULD_LINEMERGE = false
in props.conf under the appropriate sourcetype, source, or host.
For example:
[openNMS]
# Properties for openNMS sourcetype
SHOULD_LINEMERGE = false
If there might be multi-line events in this source of data, you can use a combination of LINE_BREAKER
to identify proper line endings or TIME_PREFIX
/TIME_FORMAT
/MAX_TIMESTAMP_LOOKAHEAD
to identify timestamps. Splunk's default behavior is to break before a line containing a timestamp.
These are all in props.conf. http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf