Solved: Re: How to break events as Every Line

dantimola · ‎04-10-2017

Hi All,

What's the appropriate regex for event break Every Line? Is my props.conf correct?

[index_name]
LINE_BREAKER = ([\r\n]+)

asimagu · ‎04-10-2017

hi there, yes, that is correct.
However the stanza name should not be an index name but a sourcetype name.

Also, you could use
SHOULD_LINEMERGE = false

more info here: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Propsconf

View solution in original post

gcusello · ‎04-10-2017

Hi dantimola
to have each event in one line use

SHOULD_LINEMERGE = false

I suggest, before logs indexing, try to index a test copy of your logs using the web extractor (inserting them in a test index), in this way, you can build your props.conf by web interface and see every configuration (timestamp, line break, etc...).
Bye.
Giuseppe

asimagu · ‎04-10-2017

hi there, yes, that is correct.
However the stanza name should not be an index name but a sourcetype name.

Also, you could use
SHOULD_LINEMERGE = false

more info here: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Propsconf

How to break events as Every Line

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform