Hi, Splunkers,
I have following data from UF to Splunk instance.
<< UDP-1128 Nocrypto.......
REGISTER.....
......................
......................
......................
......................
......................
......................
Content-Length: 0
it is from a same file's content, however, it is broken by the splunk each line like this :
<< UDP-1128 Nocrypto.......
REGISTER.....
...........................
Content-Length: 0
it makes me difficult to search the data.
I have already tried these config in the serveral location:
1. UF's $SPLUNK/etc/apps/[deployment_app_name]/local/props.conf
2. the apps located in the Splunk instance at $SPLUNK_HOME/etc/apps/[App_Name]/local/props.conf
3. the props.conf at $SPLUNK_HOME/etc/system/local/props.conf
Here is the props.conf content:
[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_MERGE = true
BREAK_ONLY_BEFORE = \s+<<\sUDP-\d+\sNoCrypto
MUST_BREAK_AFTER = Content-Length
BREAK_ONLY_BEFORE = <regular expression>
* When set, Splunk creates a new event only if it encounters a new line that
matches the regular expression.
* Defaults to empty.
MUST_BREAK_AFTER = <regular expression>
* When set and the regular expression matches the current line, Splunk
creates a new event for the next input line.
* Splunk may still break before the current line if another rule matches.
* Defaults to empty.
The instrctions from "Configure ebent line breaking" doc
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Configureeventlinebreaking
and the "props.conf" doc
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf
But it doesn't work for the props.conf to merge the data into a multi line event.
Does anyone has suggestions? Thanks for replying 🙂
Try this:
[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^\s*<<\s*UDP-\d+\s+
Save this to your indexers, restart all Splunk instances on your indexers and test by ONLY checking events that were indexed AFTER the restarts. Do note my implementation of comment by @dineshraj9!
I will try it later, and I will let you know the result. thanks!
It should be SHOULD_LINEMERGE and not SHOULD_MERGE
SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
multi-line event, based on the following configuration attributes.
* Defaults to true.
# When SHOULD_LINEMERGE is set to true, use the following attributes to
# define how Splunk builds multi-line events.
I did right in the props.conf, it doesn't work still 😞