Line Breaking for netstat only breaks on the first...

ekenne06 · ‎10-02-2020

have a scripted input that runs:

netstat -tupn and the output shows:

tcp x.x.x.x:38314 x.x.x.x:7075 ESTABLISHED 4144/java

tcp x.x.x.x:22 x.x.x.x:62601 ESTABLISHED 5830/sshd:

tcp x.x.x.x:37032 x.x.x.x:8080 ESTABLISHED 4144/java

tcp x.x.x.x:59344 x.x.x.x:49302 ESTABLISHED 4144/java

in my props.conf I have

[<sourcetype>]

BREAK_ONLY_BEFORE = (tcp)

SHOULD_LINEMERGE = false

the events are getting indexed but I only see the first event

tcp x.x.x.x:38314 x.x.x.x:7075 ESTABLISHED 4144/java

and nothing else gets indexed. What am I missing?

thambisetty · ‎10-02-2020

Change SHOULD_LINEMERGE = True

————————————
If this helps, give a like below.

ekenne06 · ‎10-03-2020

Why is that? I thought LINEMERGE meant taking individual events and making them 1 single event? I have a multi line event that I want to be single events. Am I miss understanding that line?

Line Breaking for netstat only breaks on the first line

props.conf

scripted input

universal forwarder

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation