How to edit my props.conf to line break before eac...

jarapally · ‎02-06-2017

Hi,

I have logs with multi line events and I am trying to line break before the timestamp, but before date there is -}",. Can you help me write the props.conf so the line breaks before the date?

2/2/2017 6:29:59 PM
"{1:F01HKHHAXXX0000000000}{2:I103SCBLHKHHXXXXN}{3:{108:1A1DF41E61005916}}{4:
:20:1A1DF41E61005916
:23B:CRED
:32A:170202HKD442455,64
:33B:HKD442455,64
:50K:/XXX SETTLEMENTS
ABC LIMITED
ADDRESS1
CITY,STATE,PROVINCE,COUNTRY
:53A:/44700839456
JEFFGB2XXXX
:59A:/44700388721
US33XXX
:71A:OUR
:72:/BNF/ HK COMM DIFF VD

-}",2/2/2017 6:29:59 PM
"{1:F01US33ABCH0000000000}{2:I210CHASGB2LXXXXN}{3:{108:54455B4301215800}}{4:
:20:54455B4301215800
:25:0077008324
:30:170203
:21:54455B4301215800
:32B:TRY120000,00
:52D:/FXX25703
ABCBANK
ADDRESS1
CITY,STATE,PROVINCE,COUNTRY

mpreddy · ‎02-06-2017

use this attribute in props.conf

BREAK_ONLY_BEFORE = -}
* When set, Splunk creates a new event only if it encounters a new line that
matches the regular expression.
* Defaults to empty.

jarapally · ‎02-07-2017

That did not work

How to edit my props.conf to line break before each timestamp in my multi line events?

Introduction to Splunk AI

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x

Are you a member of the Splunk Community?

How to edit my props.conf to line break before each timestamp in my multi line events?

Introduction to Splunk AI

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Maximizing the Value of Splunk ES 8.x