Can any one suggest me ,how can i break the events in the below format. I want to break it on the basis of date format
I tried using (BREAK_ONLY_BEFORE_DATE = yes). This breaks the event from last_updated date,which I don't want
logfile#
2018/04/13 10:27:53
category=Cars
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/12 09:27:53
Country=America
2018/04/12 10:27:53
category=bikes
Company=xyzx
balancesheet=pqz
Country=America
2018/04/13 10:27:53
category=Cycles
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/09 19:27:53
Country=UK
Desired output
2018/04/13 10:27:53
category=Cars
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/12 09:27:53
Country=America
2018/04/12 10:27:53
category=bikes
Company=xyzx
balancesheet=pqz
Country=America
2018/04/13 10:27:53
category=Cycles
Company=xyz
balancesheet=pqz
last_updated_date=2018/04/09 19:27:53
Country=UK
Try these props.conf settings.
[mysourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = ^
TIME_FORMAT = %Y/%m/%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
BREAK_ONLY_BEFORE_DATE = true
TRUNCATE = 10000