Getting Data In

How to configure LINE_BREAKER to split a multiline event?

Path Finder

alt textI have a log file that writes everything in one line. I'm try to count the number of events in the logfile but the numbers are skewed because I need to break apart the lines. Here is a sample of a single log event:

10/20/2014 11:39:53 AM
StoreDirectory started
I:\Dicom1\1.2.840.114384.14429234.20130801.124907.145Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125004.63Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125037.19Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125154.27Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125338.7Stored Successfully

I have tried updating the props.conf on the system with the following inf

[DicomFileMoverLog]
LINE_BREAKER = (?i).*? (?P<FIELDNAME>[a-z]+)
SHOULD_LINEMERGE = False

But I get mixed results. Some come in broken apart but some show up still grouped together.

0 Karma
Highlighted

Re: How to configure LINE_BREAKER to split a multiline event?

Contributor

Add this to your props.conf and you should be OK.

BREAK_ONLY_BEFORE_DATE = true

View solution in original post

Highlighted

Re: How to configure LINE_BREAKER to split a multiline event?

Path Finder

Still having the same effect. See attachment i added to the original post.

0 Karma
Highlighted

Re: How to configure LINE_BREAKER to split a multiline event?

Path Finder

This worked...The issue was with the sourcetype on the log file. Splunk had appended a -1 to the log file name, and a -2 when I restarted the process. I repaired that issue and added the BREAK_ONLY statement and it works perfectly. Thank you for your help