Solved: LINE_BREAKER keep the line breaking regex string

season88481 · ‎04-13-2020

Hi team,

I have logs like this:

This is Tom This is Amy This is David This is Ben

I want the line breaking to be like this:

This is Tom
This is Amy
This is David
This is Ben

Here is my LINE_BREAKER config

LINE_BREAKER = (this)

And my result is like:

 is Tom
 is Amy
 is David
 is Ben

So how could I keep the line breaking regex? In my case, the "this"?

Many thanks.
S

season88481 · ‎04-13-2020

I think I can answer my own question. Seems Line breaker needs 1 capturing group. Anything matched in the group will not be indexed.
So I updated the LINE_BREAKER to be:
LINE_BREAKER = (\s)this\s

View solution in original post

season88481 · ‎04-13-2020

I think I can answer my own question. Seems Line breaker needs 1 capturing group. Anything matched in the group will not be indexed.
So I updated the LINE_BREAKER to be:
LINE_BREAKER = (\s)this\s

to4kawa · ‎04-13-2020

LINE_BREAKER is REGEX
this is not same This

LINE_BREAKER = (?i)(\s)This

Line breaker needs 1 capturing group.
Yes, you are.

LINE_BREAKER keep the line breaking regex string

Introducing Ingest Actions: Filter, Mask, Route, Repeat

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page