list: 6363

kiran331 · ‎06-28-2017

Hi I have the text file with below sample data I have to break the events using
"-------------------------" as event break

abc

text file: 123
name: 235
list: 6363

dfdf

text file: df
name: ggg
list: fdgdfg

abc

text file: 123
name: 235
list: 6363

cds

text file: 1fd3
name: ff35
list: 6sd

somesoni2 · ‎06-28-2017

Try this

props.conf on indexer/heavy forwarder

[yoursourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\-+)
DATETIME_CONFIG=CURRENT

kiran331 · ‎06-28-2017

Hi Somesoni, I Have "-------------------------" in the text

after each group details. I have to split the events after

somesoni2 · ‎06-28-2017

I believe the above configuration should do that. Did you get a chance to test it (or share what failed if you've)?

senthamilselvan · ‎09-21-2017

Hi Somesoni,
I have the same problem in splitting the events, I tried your above answer but it is not working.

Here is my requirement, I want to split the log in to multiple events based on the delimiter "========" . So that i will get 3 events in splunk
abc
text file: 123
name: 235

How to break the events using regex?

after each group details. I have to split the events after

list: 6363

list: fdgdfg

list: 6sd

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to break the events using regex?

after each group details. I have to split the events after

list: 6363

list: fdgdfg

list: 6sd

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem