Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is must_break_after configuration not working?

mjones414
Contributor
‎01-28-2016 02:44 PM

I have a large (10's of thousands of lines) data stream that runs every 10 minutes and I want it to break after this line:

sharing = default_shared

I tried putting in:

MUST_BREAK_AFTER = (sharing = default_shared)

But this did not work.

I was hoping it would take the literal string, but it's not working.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-28-2016 02:59 PM

Try something like this

[yoursourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER= ([\r\n]+)(?=sharing\s*=\s*default_shared)
... other configs....

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-28-2016 02:59 PM

Try something like this

[yoursourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER= ([\r\n]+)(?=sharing\s*=\s*default_shared)
... other configs....
0 Karma
Reply
Solved! Jump to solution

mjones414
Contributor
‎01-28-2016 03:10 PM

Worked like a champ!! Thanks so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...