Getting Data In
Highlighted

How to configure LINE_BREAKER to split a multiline event?

Path Finder

alt textI have a log file that writes everything in one line. I'm try to count the number of events in the logfile but the numbers are skewed because I need to break apart the lines. Here is a sample of a single log event:

10/20/2014 11:39:53 AM
StoreDirectory started
I:\Dicom1\1.2.840.114384.14429234.20130801.124907.145Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125004.63Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125037.19Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125154.27Stored Successfully
I:\Dicom1\1.2.840.114384.14429234.20130801.125338.7Stored Successfully

I have tried updating the props.conf on the system with the following inf

[DicomFileMoverLog]
LINE_BREAKER = (?i).*? (?P<FIELDNAME>[a-z]+)
SHOULD_LINEMERGE = False

But I get mixed results. Some come in broken apart but some show up still grouped together.

0 Karma
Highlighted

Re: How to configure LINE_BREAKER to split a multiline event?

Contributor

Add this to your props.conf and you should be OK.

BREAK_ONLY_BEFORE_DATE = true

View solution in original post

Highlighted

Re: How to configure LINE_BREAKER to split a multiline event?

Path Finder

Still having the same effect. See attachment i added to the original post.

0 Karma
Highlighted

Re: How to configure LINE_BREAKER to split a multiline event?

Path Finder

This worked...The issue was with the sourcetype on the log file. Splunk had appended a -1 to the log file name, and a -2 when I restarted the process. I repaired that issue and added the BREAK_ONLY statement and it works perfectly. Thank you for your help

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.