props.conf how to break event after every new line...

Kitteh · ‎10-17-2017

As stated in the question, my props.conf has the following settings:

[daemonforCent]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE=false

And as you can see, the result is still the same, not breaking anything. I've tried BREAK_ONLY_BEFORE=\r\n too but also will not work.

dantimola · ‎01-15-2018

Was your problem resolved already? Please give me feedback as I'm having the same problem as well. Thank you.

jkat54 · ‎10-17-2017

Your props.conf is correct but these settings only apply at index time. You will need to be sure the props are on the forwarder(s) or indexer(s), and reingest any data that wasn’t properly ingested before.

Kitteh · ‎10-18-2017

they are done at the forwarders which worked well for ubuntu side with similar props settings.

MuS · ‎10-18-2017

Is this forwarders as in parsing heavy weight forwarders?

gcusello · ‎10-17-2017

Hi Kitteh,
let me understand: do you want to have a row in each event?
if yes use SHOULD_LINEMERGE = false

Bye.
Giuseppe

Kitteh · ‎10-17-2017

I want them to be separated into different event, so basically its just "abrtd (pid 2637)-running" as one event. So basically I suppose having rows do not matter as long events are splitted apart as its own.

props.conf how to break event after every new line?

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

DevSecOps: Why You Should Care and How To Get Started