The logs below are a sample and splunk seems to deal with them most of the time, occasionally Im seeing the logs merged together and breaking at the --EOR-- point. Recommended settings for props.conf please! Any assistance greatly appreciated, thanks.
2014-03-17T12:27:23.828 SourceName=myweb5551-com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager, EventCode=100, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Thread=com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread
Message=[com.mysite.e3.platform.foundation.bus.client.beanclass.DefaultResponseManager ManagerThread is running]
--EOR--
2014-03-17T12:27:24.203 SourceName=myweb5551-com.mysite.e3.platform.foundation.core.monitoring.MonitorCounters.Internal, EventCode=101, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=MonitorCounter, Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Originator_Activity_Id=3702d9de-0d8b-4a57-b37a-eb96e925b07e, Thread=MonitorCounter
Message=[Initialized. beanUpdate = 5 sec; logUpdate = 300seconds.]
--EOR--
2014-03-17T12:27:37.344 SourceName=myweb5551-com.mysite.e3.platform.foundation.serialization.jaxbri.JaxbSerializer, EventCode=1000, Type=Information, Deployment_Unit_Name=myweb5551, Service_Name=mysite-base, Service_Version=trunk-trunk.ci.990689, Activity_Name=openBeanFactory, Activity_Id=5f2ab137-c55f-4b97-ad09-d5fc25aea897, s.search.defn.v4:com.mysite.s3.cars.messages.getchangedetail.defn.v1:com.mysite.s3.cars.messages.location.search.defn.v1 in 11024 millis.]
--EOR--
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true
This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.
[source::.../mylogs/*.log]
BREAK_ONLY_BEFORE_DATE = true
should work. You need not add anything, check and let us know
BREAK_ONLY_BEFORE=\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}
SHOULD_LINEMERGE=true
This should break the event before the next timestamp, which is effectively at the after the --EOR-- mark. Your event will thus run from the timestamp up to (and including) the --EOR--.
Looks great thanks!
The end of each event is the --EOR-- The start is the date time
where do you want it to break?