Solved: How to configure LINE_BREAKER to split a multiline...

jbouch03 · ‎10-20-2014

alt textI have a log file that writes everything in one line. I'm try to count the number of events in the logfile but the numbers are skewed because I need to break apart the lines. Here is a sample of a single log event:

10/20/2014 11:39:53 AM
StoreDirectory started
I:\Dicom1\1.2.840.114384.14429234.20130801.124907.145Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125004.63Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125037.19Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125154.27Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125338.7Stored Successfully

I have tried updating the props.conf on the system with the following inf

[DicomFileMoverLog]
LINE_BREAKER = (?i).*? (?P<FIELDNAME>[a-z]+)
SHOULD_LINEMERGE = False

But I get mixed results. Some come in broken apart but some show up still grouped together.

jimodonald · ‎10-20-2014

Add this to your props.conf and you should be OK.

BREAK_ONLY_BEFORE_DATE = true

View solution in original post

jimodonald · ‎10-20-2014

Add this to your props.conf and you should be OK.

BREAK_ONLY_BEFORE_DATE = true

jbouch03 · ‎10-20-2014

This worked...The issue was with the sourcetype on the log file. Splunk had appended a -1 to the log file name, and a -2 when I restarted the process. I repaired that issue and added the BREAK_ONLY statement and it works perfectly. Thank you for your help

jbouch03 · ‎10-20-2014

Still having the same effect. See attachment i added to the original post.

How to configure LINE_BREAKER to split a multiline event?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...