Solved: How do I edit my props.conf to break multiline eve...

Rimah · ‎07-22-2015

Hello;

I found a problem breaking multiline events in Splunk. I need to break events that have this format:

Events: {"ext, "aaaaaaaaaaaaaaaaaaaaa","":"2"}< >{""ext, "aaaaaaaaaaaaaaaaaaaaa","":"3"}

In the props.conf file, I added these lines, but it's not breaking those events:

[stash]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
BREAK_ONLY_AFTER = (}< >)
SHOULD_LINEMERGE = TRUE

I will appreciate all your help!

Thank you

richgalloway · ‎07-22-2015

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-22-2015

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false

---
If this reply helps you, Karma would be appreciated.

Rimah · ‎07-23-2015

Thank you very much , by adding this lines i can break this envents .

How do I edit my props.conf to break multiline events?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!