I have a file that contains one really long line, see below
Example:
["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on..
How can I break up each ["2017-10-09 13:05",976.0,"OK"] into events?
I first tried to accomplish this in props.conf with no luck.
So now Im adding the file using "upload file" just to see if I can breake the line, still with no luck..
Any pointers would be much appriciated
in props.conf you should be able to configure line breaking. a regex of something like LINE_BREAKER=\]([,])
might do the trick.
you can also do this via the UI. Just go to Add Data>Monitor/Upload/Forward. Eventually, you'll get to the Set Sourcetype stage and you can configure the event breaks there. you can see where/how the events are going to break and adjust accordingly.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Modifyeventprocessing
Hi,
what did you try to do in your props.conf?
What you are looking for is the BREAK_ONLY_BEFORE (or MUST_BREAK_AFTER) setting.
I would go with somethign like this:
[your_sourcetype (defined in inputs.conf)]
MUST_BREAK_AFTER = (\"\]\,)
So, your event gets broken after the comma.
Skalli