How to include header from an event for splunk to ...

Mo7860 · ‎09-17-2024

I have a sample log, how do I create line breaking in props.conf on the indexers so that splunk can recognize the header (###) as the first line of the event message

sample log

########################################################################
Thu 05/02/2024 - 8:06:13.34
########################################################################
Parm-1 is XYZ
Parm-2 is w4567
Parm-3 is 3421
Parm-4 is mclfmkf
Properties file is jakjfdakohj
Parm-6 is %Source_File%
Parm-7 is binary
Parm-8 is
Parm-9 is
SOURCE_DIR is mfkljfdalkj
SOURCE_FILE is klnsaclkncalkn
FINAL_DIR is /mail/lslk/jdslkjd/
FINAL_FILE is lkjdflkj_*.txt
MFRAME is N

Version
(C) Copyright
*************************************************
Successfully connected

I want splunk to include the ### as the first line of the event message, but I am able to get line breaker from the second line Thu 05/02/2024 - 8:06:13.34

Please let me know

marnall · ‎09-17-2024

You should set the LINE_BREAKER field in your props.conf in your indexer machine(s). You can also set SHOULD_LINEMERGE = false to prevent Splunk from recombining the events.

[yoursourcetype]
LINE_BREAKER = ^()\#{72}\n[^\#]*\#{72}
SHOULD_LINEMERGE = false

Since your log header includes two lines of hashes, the REGEX should find both of them.

How to include header from an event for splunk to recognize as the first line of the event log

configuration

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to include header from an event for splunk to recognize as the first line of the event log

configuration

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits