Hi Team, I came across an issue where I have below sample logs in a file
15:30:31.396|Info|Response ErrorMessage: ||
15:30:36.610|Info|Logging Rest Client Request...||
15:30:36.610|Info|Request Uri: https://abc-domain/api/xy/Identify||
15:30:36.694|Info|Logging Rest Client Response...||
15:30:36.694|Info|Response Status Code: 401||
15:30:36.710|Info|Response Status Description: Unauthorized||
15:30:36.741|Info|Response Content: ||
15:30:36.741|Info|Response ErrorMessage: ||
15:30:36.762|Info|Logging Rest Client Request...||
I am using splunk forwarder version splunkforwarder-8.2.4-87e2dda940d1-x64-release
with below prop.conf settings
[xyz:mnl]
LB_CHUNK_BREAKER = ([\r\n]+)
On splunk portal I am not getting one line as a one event instead I am getting multiple lines as a single event like below
Hi @mayurkale471757 ,
try to upload a sample of your file using the Add Data GUI feature that guides you in the sourcetype creation.
Ciao.
Giuseppe
Thanks Guys, changing the settings at HF solved this issue
Hi @mayurkale471757 ,
good for you, see next time!
let us know if we can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi
here is some old posts how to do onboarding with your own workstation etc.
r. Ismo
Hi @mayurkale471757 ,
try to upload a sample of your file using the Add Data GUI feature that guides you in the sourcetype creation.
Ciao.
Giuseppe