Re: MultiLine Event - Line Breaker

CarolinaHB · ‎06-11-2020

Hi,

I have a file with many records but when it is indexed in a single event.

Example:

20859000133104142002020052140014M101000042394286020200521012000136024001R0001400000000000039500111342817111342817211342818311342818300000000011342819911342820800000000011342837310500
2085900013320414208085904142200000000046 20200521012000136024001R0050200000000000000056211344550011344550211344551211344551200000000011344552511344553300000000011344569410500
2085900013330414206085904142200000000047 20200521012000136024001R0050200000000000000056311351275511351275511351276711351276700000000011351278411351279500000000011351293910500

My props.conf file is configured

[Prueba]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 17
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y%m%d0%H%M%S%3Q
TIME_PREFIX = ^.{49}
category = Custom
pulldown_type = true
BREAK_ONLY_BEFORE_DATE =
disabled = false

I changed the regex in LINE_BREAKER by ^.+\n but it does not work.

Regards,

p_gurav · ‎06-11-2020

Please try with

SHOULD_LINEMERGE = false

CarolinaHB · ‎06-12-2020

Hi, I try

SHOULD_LINEMERGE = false

It doesn't work

MultiLine Event - Line Breaker

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation