I have log where each transaction ends with either of one below lines
SignaturePolicy: BINDING_DEFAULT
SignatureStatus: BINDING_DEFAULT
EXCEPTION
can we give multiple values in MUST_BREAK_AFTER configuration.In splunk doc it didnot say it can configure with muliple values.
No you can not. However, the value you provide regular expression, which can express any number of terms.
Right, so something kind of like this I think:
MUST_BREAK_AFTER = (SignaturePolicy:\sBINDING_DEFAULT$)|(SignatureStatus:\sBINDING_DEFAULT$)|(EXCEPTION)
Have you tried something like this?
MUST_BREAK_AFTER = Signature(Policy|Status):\sBINDING_DEFAULT|EXCEPTION
ok,thanks for giving answer so quickly
No you can not. However, the value you provide regular expression, which can express any number of terms.