I'm fairly new to splunk so please bare with me. I have a logfile that has multiple lines of data. However when I do my search I get mixed results.
Here is an example logfile.
Crashed Jobs for Thu Dec 10 12:05:01 EST 2020 in qa environment
Job started @ 20201210120501
CustomerHistoryLoad_fixLoad_FileFix_PART
call_SPBatchDetail_Web.Job_BatchDetailStartWebDeptRequirements
EmployeeMasterPull
get_ControlState_StoreCloseMonitor.Job_GetControlState_StrClsMon
RunSeqBusinessEODLoad
run_CustomerLoadSeq
run_SalesLease_LoadSeq
run_Vendor_CDP_DW_LoadExportSeq
run_Vendor_POSLog_ExportSeq_Adhoc_Run
run_WebApr_LoadSeq
run_WebDeptRequirements_LoadSeq
Seq_HRMS_AD_to_DW
StoreCloseMonitorSeq
Job ended @ 20201210121407
Here is my search -
index=bli_datastage_crash_jobs_qa sourcetype=bli_datastage_crash_jobs | rex field=_raw "From:(?<Crashed>.*) To:(?<Job>.*)"
The problem is I get multiple events instead of just one event. I suspect I have breaks (newlines) in this logfile but I can't seem to get all the lines included into a single event. Appears the data is getting indexed as separate events. Any advice on getting the data indexed as a single event would be greatly appreciated.
Why not check props.conf and should_linemerge and line_breaker?
I added a LINE_BREAKER to props.conf and added transforms.conf and it's working now.
Thank you