I'm having issues with line break for some reason. I'm looking to break into individual line events. I've included the following in the specific apps props.conf. Any suggestions?
props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
raw data
y8200|ACH-NEW-R|05/16/2017|7|1|5|881.24|3|50.24|INC_ACH-NEW-R3-0516.PBS|05/16/2017|2|397|
y8200|ACH-NEW-R|05/16/2017|8|1|0|0.00|1|412.00|INC_ACH-NEW-R4-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|1|1|27332|19348046.77|11142|10812534.28|INC_ACH-R1-0516.PBS|05/16/2017|5|33|
y8200|ACH-R|05/16/2017|2|1|43093|106558388.19|40396|117051987.96|INC_ACH-R2-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|3|1|14949|6935959.69|5846|5575650.96|INC_ACH-R3-0516.PBS|05/16/2017||0|
y8200|ACH-R|05/16/2017|4|1|11145|2342435.86|4304|5653510.66|INC_ACH-R4-0516.PBS|05/16/2017|||
Hello,
According to docs what you are doing should work fine, however it doesn't work for me as well.
For sample logs you have provided, the following worked fine:
props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)
Regards
I gave a try again with LINE_BREAKER = ([\r\n]+)
and It worked fine on version 6.5.3
Hello,
According to docs what you are doing should work fine, however it doesn't work for me as well.
For sample logs you have provided, the following worked fine:
props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)
Regards
working fine, But how.? could you please explain.?
Thanks in advance
Hi ,
1- Where is props.conf stored & let me know this change will impact all logs or specific log .
2- Can I enforce splunk to monitor log line by line using input.conf
props.conf file location : $SPLUNK_HOME/etc/system/local
Inside the directory you find props.conf,in case if you don't have create new one with props.conf name.
Place that code inside file after restart the splunkd service.
Hello,
$ matches the end of the line, it is working the same like ^ with start of the line
Regards
You need to: