Splunk Search

How to break the events using regex?

kiran331
Builder

Hi I have the text file with below sample data I have to break the events using
"-------------------------" as event break

abc

text file: 123
name: 235
list: 6363


dfdf

text file: df
name: ggg
list: fdgdfg


abc

text file: 123
name: 235
list: 6363


cds

text file: 1fd3
name: ff35
list: 6sd

Tags (2)
0 Karma

somesoni2
Revered Legend

Try this

props.conf on indexer/heavy forwarder

[yoursourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\-+)
DATETIME_CONFIG=CURRENT
0 Karma

kiran331
Builder

Hi Somesoni, I Have "-------------------------" in the text

after each group details. I have to split the events after

0 Karma

somesoni2
Revered Legend

I believe the above configuration should do that. Did you get a chance to test it (or share what failed if you've)?

0 Karma

senthamilselvan
Engager

Hi Somesoni,
I have the same problem in splitting the events, I tried your above answer but it is not working.

Here is my requirement, I want to split the log in to multiple events based on the delimiter "========" . So that i will get 3 events in splunk
abc
text file: 123
name: 235

list: 6363

dfdf
text file: df
name: ggg

list: fdgdfg

cds
text file: 1fd3
name: ff35

list: 6sd

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...