Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my props.conf to break multiline events?

Rimah
Engager
‎07-22-2015 12:55 AM

Hello;

I found a problem breaking multiline events in Splunk. I need to break events that have this format:

Events: {"ext, "aaaaaaaaaaaaaaaaaaaaa","":"2"}< >{""ext, "aaaaaaaaaaaaaaaaaaaaa","":"3"}

In the props.conf file, I added these lines, but it's not breaking those events:

[stash]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
BREAK_ONLY_AFTER = (}< >)
SHOULD_LINEMERGE = TRUE

I will appreciate all your help!

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2015 08:23 AM

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2015 08:23 AM

BREAK_ONLY_AFTER is not a valid attribute. Do you mean BREAK_ONLY_BEFORE or MUST_BREAK_AFTER?
You've specified the SHOULD_LINEMERGE attribute twice. The last instance is the one that will be used. Consider this stanza:

[stash]
LINE_BREAKER = ([\r\n]+)|(< >)
SHOULD_LINEMERGE = false
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Rimah
Engager
‎07-23-2015 04:44 AM

Thank you very much , by adding this lines i can break this envents .

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...