I have trap messages being written to a txt file which then gets pushed to my indexer via a universal forwarder and I also have line breaks setup in props.conf. The trap message then appears in full as a multi-line event.
This is the line break config for the trap message:
Unsure if the above config is best for trap messages but it seems to work.
Pic of traps as they come into splunk: imgur.com/RcmA93R)
I then use the IFX tool to extract specific lines from the trap message, however this sometimes works and sometimes breaks?
When it works it successfully extracts the results of 1 line.
Pic of a working extraction: imgur.com/E0xtHs3
Other times it extracts the line i want but it also extracts the rest of the message so i end up with multiple lines in my extraction.
Pic of a non working extraction: imgur.com/EKdUOFm
I have played about with the rex config in props.conf to stop extracting after the end of line but having no joy with this. What rex can i use that basically says 'stop' after the end of line and do not continue with any more extraction.