Hi folks,
I just got a new data feed where my events come in as a multiline event, with one key/value pair on each line. The issue I have now, when a value has a space in it, it gets truncated. Is there a way to set the new line as the delimiter and include all text before the next new line? I did this before for a smaller data set, where I regex'ed all the fields manually, but this data source has a lot of different keys, and it would be tedious and hard to manage if I had to write a props regex for every single one.
What is your current props.conf for this sourcetype and can you provide some sample events?
In your props.conf file for this sourcetype, specify SHOULD_LINEMERGE=TRUE
. That will turn your multi-line event into a single-line event. You will then have to tell Splunk where each event ends using BREAK_ONLY_BEFORE_DATE
, BREAK_ONLY_BEFORE
, or one of the other related settings. A sample of your data will help us help you with that.