Re: Line Breaking for netstat only breaks on the f...

ekenne06 · ‎10-02-2020

have a scripted input that runs:

netstat -tupn and the output shows:

tcp x.x.x.x:38314 x.x.x.x:7075 ESTABLISHED 4144/java

tcp x.x.x.x:22 x.x.x.x:62601 ESTABLISHED 5830/sshd:

tcp x.x.x.x:37032 x.x.x.x:8080 ESTABLISHED 4144/java

tcp x.x.x.x:59344 x.x.x.x:49302 ESTABLISHED 4144/java

in my props.conf I have

[<sourcetype>]

BREAK_ONLY_BEFORE = (tcp)

SHOULD_LINEMERGE = false

the events are getting indexed but I only see the first event

tcp x.x.x.x:38314 x.x.x.x:7075 ESTABLISHED 4144/java

and nothing else gets indexed. What am I missing?

thambisetty · ‎10-02-2020

Change SHOULD_LINEMERGE = True

————————————
If this helps, give a like below.

ekenne06 · ‎10-03-2020

Why is that? I thought LINEMERGE meant taking individual events and making them 1 single event? I have a multi line event that I want to be single events. Am I miss understanding that line?

Line Breaking for netstat only breaks on the first line

props.conf

scripted input

universal forwarder

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation