Can I use these two lines in a single props.conf? Will it work?
BREAK_ONLY_BEFORE=\d+:\d+\d+
BREAK_ONLY_BEFORE_DATE=true
You cannot have both of these lines for a single input. Splunk will use one of them, but ignore the other. There will probably be a message in splunkd.log but that will be the only indication of the problem - except for the fact that your events will not break the way you want!
Like @sdaniels, I wonder if this level of complexity is really necessary. But, if it is necessary, you will need to write a single regular expression that will match either the date OR the pattern.
okay time_before_close=180 leads to break event?
Madhan45,
Sample data please.
My first question is why would this be necessary for your data set? You should only need to use one of them and i've personally not encountered a case where you'd need multiple of these when SHOULD_LINEMERGE is set to true. There is nothing in the docs that says it won't work but i'm assuming you aren't getting the desired results. Can you share what your data looks like if this is the case?
assume that below is my log:
<2016/01/06> Is restart required after making changes to Props.conf and Transforms.conf.
To not index the Current Date when indexing
I have added in my transforms.conf to ignore. But in this entire event it is ignoring only first two lines. It is not ignoring the third line "
okay, "time_before_close=20" in inputs.conf will leads to break events??
You'll find details on whether you need to restart here...it depends for props and tranforms. Anything search time processing related does not need a restart. http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Configurationfilechangesthatrequirerestart. I do not see your log file entries above.