Hi,
I have the below data and I know that props and/or transforms.conf need to be modified to have the below report as 1 event. I'm not that familiar with how props/transforms.conf work since we have Splunk Cloud and have never modified them.
Premise= 135019
Name= Front Door
IP= 172.16.12.103
ID= 1
Mac= E8:F2:E2:2D:CB:73
FW Ver= 0.9.2.1708101
Manufacturer= LGInnotek
Model= Titan
Video Size= LARGE
Verified= true
RSSI= -79 dB
Supported Video Formats= [MJPEG, FLV, RTSP]
Supported Video Codecs= [H264, MPEG4]
FLV URL= https://172.16.12.103:80/openhome/streaming/channels/0/flv
MJPEG URL= https://172.16.12.103:80/openhome/streaming/channels/2/mjpeg
API Version= 3.3.7
MotionTurnedOn= true
MotionSensitivy= 1 (LOW)
Local Video Aspect Ratio= 16:9
Local Video Resolution= 1280:720
Remote Video Aspect Ratio= 16:9
Remote Video Resolution= 1280:720
Assuming your logs always starts with Permise=..
, try this
props.conf on Indexer/HF
[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT
Assuming your logs always starts with Permise=..
, try this
props.conf on Indexer/HF
[yourSourcetype]
LINE_BREAKER = ([\r\n]+)(?=Premise\=\s\S+)
SHOULD_LINEMERGE = false
#Don't see any timestamp on the data so using current time
DATETIME_CONFIG=CURRENT
In your props.conf for this sourcetype, you could try using a line_breaker to split, assuming all events start with "Premise="
[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Premise=