Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my props.conf to line break before each timestamp in my multi line events?

jarapally
Explorer
‎02-06-2017 01:58 PM

Hi,

I have logs with multi line events and I am trying to line break before the timestamp, but before date there is -}",. Can you help me write the props.conf so the line breaks before the date?

2/2/2017 6:29:59 PM
"{1:F01HKHHAXXX0000000000}{2:I103SCBLHKHHXXXXN}{3:{108:1A1DF41E61005916}}{4:
:20:1A1DF41E61005916
:23B:CRED
:32A:170202HKD442455,64
:33B:HKD442455,64
:50K:/XXX SETTLEMENTS
ABC LIMITED
ADDRESS1
CITY,STATE,PROVINCE,COUNTRY
:53A:/44700839456
JEFFGB2XXXX
:59A:/44700388721
US33XXX
:71A:OUR
:72:/BNF/ HK COMM DIFF VD

-}",2/2/2017 6:29:59 PM
"{1:F01US33ABCH0000000000}{2:I210CHASGB2LXXXXN}{3:{108:54455B4301215800}}{4:
:20:54455B4301215800
:25:0077008324
:30:170203
:21:54455B4301215800
:32B:TRY120000,00
:52D:/FXX25703
ABCBANK
ADDRESS1
CITY,STATE,PROVINCE,COUNTRY
0 Karma
Reply

mpreddy
Communicator
‎02-06-2017 03:19 PM

use this attribute in props.conf

BREAK_ONLY_BEFORE = -}
* When set, Splunk creates a new event only if it encounters a new line that
matches the regular expression.
* Defaults to empty.

0 Karma
Reply

jarapally
Explorer
‎02-07-2017 06:55 AM

That did not work

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...