How to configure Splunk to parse multiple logs as ...

cj039165 · ‎07-08-2016

Hello –

New to Splunk. I’ve searched the community, but may not be using the correct wording to find an answer. See the example below of a log file I’m feeding into Splunk. Each event starts at the time stamp and ends after the “blah, blah”. When I search the log in Splunk, it’s showing multiple events together. How do I go about getting Splunk to see them as individual events?

09:16:54,126 DEBUG  [Thread-1646678] Version: 0.2
Message Format: X12
Message Type: 271_Response_005010X279A1
Status: 
Body Length: 2128

ISA blah blah blah ect

09:18:57,357 DEBUG  [Thread-1646478] Version: 0.2
Message Format: X12
Message Type: 271_Response_005010X279A1
Status: 
Body Length: 2128

ISA blah blah blah ect

pradeepkumarg · ‎07-08-2016

Splunk distinguishes each event based on the LINE_BREAKER property set for that sourcetype in props.conf. props.conf should be on your indexer(s)

http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Propsconf

How to configure Splunk to parse multiple logs as individual events, not a single event?

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Join the Conversation

How to configure Splunk to parse multiple logs as individual events, not a single event?

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...