I am trying to break these into separate events and have tried everything and its just not working
< sale id="1012128864" reportGroup="asdasd" customerId="7412213255" >
< orderId>101221348864 < /orderId >
< amount>1999 < /amount >
< orderSource >ecommerce < /orderSource >
< token >
<litleToken >8888888888888 < /litleToken >
< expDate >1120 < /expDate >
< /token >
< / sale >
props.conf are
[custom_sourcetype]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \
SHOULD_LINEMERGE = true
Kindly share couple of more
_raw logs from log file..
It won't seem to let me upload the file, but literally there are just a bunch of blocks like this that are exactly the same with different element values. No timestamps
This works for me with your sample data.
props.conf are
[custom_sourcetype]
BREAK_ONLY_BEFORE = \<\s*sale\s
MUST_BREAK_AFTER = \<\s*/sale\s*\>
BREAK_ONLY_BEFORE_DATE = false
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
Odd this still doesn't work for me. I must have doe setting somewhere overriding this. Any ideas where it might be? The props.conf I am editing is definitely the etc/system/local.props.conf
The only thing that overrides etc/system/local would be if you're using a clustered indexing setup, with custom rules pushed by the cluster master to the indexer peers. So unless you're in a cluster, system/local/props.conf is the king of the hill.
Hmm, im stumped then, because we definitely aren't doing that. Ill keep working on it.
Sorry, yes this is an example of a single event, with many others formatted the same. No matter what I try, it won't break them up.
This is one event you have or you want to break these into separate entries?