Solved: How do I edit my props.conf to break multiline eve...

Rimah · ‎07-22-2015

Hello;

I found a problem breaking multiline events in Splunk. I need to break events that have this format:

Events: {"ext, "aaaaaaaaaaaaaaaaaaaaa","":"2"}< >{""ext, "aaaaaaaaaaaaaaaaaaaaa","":"3"}

In the props.conf file, I added these lines, but it's not breaking those events:

[stash]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
BREAK_ONLY_AFTER = (}< >)
SHOULD_LINEMERGE = TRUE

I will appreciate all your help!

Thank you

richgalloway · ‎07-22-2015

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-22-2015

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

Rimah · ‎07-23-2015

Thank you very much , by adding this lines i can break this envents .

How do I edit my props.conf to break multiline events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation