Hi,
6 Jun 17:09:07..................
<..../>
<....../>
<....../>
abcd
hjkkk
jjjjk
This is the content of a file iam working with.Splunk breaks events at each line i have given above.Iam getting Output like this ,as 8 events.
1 6 Jun 17:09:07..................
2
3 <..../>
4 <....../>
5 <....../>
6 abcd
7 hjkkk
8 jjjjk
I want to break lines only on date ie(only one event).I have tried following configarations in props.config but its not working
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE =false
BREAK_ONLY_BEFORE=^6 Jun
[source::.........]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE = true
MUST_NOT_BREAK_BEFORE =^<
Please help
I would suggest
[source::yoursourcepathhere]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE = true
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 20
You might also want to check here in the manuals
Configure Timestamp Recognition
Configure Event Linebreaking
Note that bad line-breaking is often related to bad timestamps.
Thanks Iguinn.