How to break events at the hex message delimiter?

ankithreddy777 · ‎10-07-2016

I have to break events based on the hex message delimiter. When I ingest data into Splunk, it is showing as letter 'x' or whitespace between events. How do I break events at the hex message delimiter?

hunters_splunk · ‎10-09-2016

Hi ankithreddy777,

I think you can try the following in props.conf:

FIELD_DELIMITER =
* Tells Splunk which character delimits or separates fields in the specified file or source.
* This attribute supports the use of special characters.

Hope it helps. Thanks!
Hunter

lukejadamec · ‎10-07-2016

Probably 'REPORT' in props.conf and 'DELIMS' in transforms.conf.
More information would be nice.

somesoni2 · ‎10-07-2016

Sample entries please..

How to break events at the hex message delimiter?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

How to break events at the hex message delimiter?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future