How to configure Splunk to parse multiple logs as ...

cj039165 · ‎07-08-2016

Hello –

New to Splunk. I’ve searched the community, but may not be using the correct wording to find an answer. See the example below of a log file I’m feeding into Splunk. Each event starts at the time stamp and ends after the “blah, blah”. When I search the log in Splunk, it’s showing multiple events together. How do I go about getting Splunk to see them as individual events?

09:16:54,126 DEBUG  [Thread-1646678] Version: 0.2
Message Format: X12
Message Type: 271_Response_005010X279A1
Status: 
Body Length: 2128

ISA blah blah blah ect

09:18:57,357 DEBUG  [Thread-1646478] Version: 0.2
Message Format: X12
Message Type: 271_Response_005010X279A1
Status: 
Body Length: 2128

ISA blah blah blah ect

pradeepkumarg · ‎07-08-2016

Splunk distinguishes each event based on the LINE_BREAKER property set for that sourcetype in props.conf. props.conf should be on your indexer(s)

http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Propsconf

How to configure Splunk to parse multiple logs as individual events, not a single event?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation