list: 6363

kiran331 · ‎06-28-2017

Hi I have the text file with below sample data I have to break the events using
"-------------------------" as event break

abc

text file: 123
name: 235
list: 6363

dfdf

text file: df
name: ggg
list: fdgdfg

abc

text file: 123
name: 235
list: 6363

cds

text file: 1fd3
name: ff35
list: 6sd

somesoni2 · ‎06-28-2017

Try this

props.conf on indexer/heavy forwarder

[yoursourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\-+)
DATETIME_CONFIG=CURRENT

kiran331 · ‎06-28-2017

Hi Somesoni, I Have "-------------------------" in the text

after each group details. I have to split the events after

somesoni2 · ‎06-28-2017

I believe the above configuration should do that. Did you get a chance to test it (or share what failed if you've)?

senthamilselvan · ‎09-21-2017

Hi Somesoni,
I have the same problem in splitting the events, I tried your above answer but it is not working.

Here is my requirement, I want to split the log in to multiple events based on the delimiter "========" . So that i will get 3 events in splunk
abc
text file: 123
name: 235

How to break the events using regex?

after each group details. I have to split the events after

list: 6363

list: fdgdfg

list: 6sd

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to break the events using regex?

after each group details. I have to split the events after

list: 6363

list: fdgdfg

list: 6sd

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...