...ullQueuing, ie, after properties like linebreaking (which is costly but vital for us for those logs) have already been computed.
Any way we can setup props / transforms / anything to first completely i...
...ileExtn3> I want to table the each group on a separate line by subject and sender... The issue is that I can only get 1 of the fields to break out correctly (like <hash?>) but the other f...
When the fschange input indexes the full event, I would like to change the sourcetype, applylinebreaking rules, and route the event to a different index. I found an example once, but it doesn't s...
Hello,
I have a file that doesnt seems to be breakable via the standard linebreaker since it's a full text file with no \n or \r whatsoever. Using delimiters for lines didnt work so I want to u...
...'ve tried using "LINE_BREAKER" with a regular expression (date/time stamp at the beginning of the line) and "SHOULD_LINEMERGE" set to false, have also tried "BREAK_ONLY_BEFORE", "TIME_PREFIX", "T...
I have a very simple config for an input in props.conf:
[fortinet_config]
SHOULD_LINEMERGE = True
If I use the "Upload a local file" option to index a config file, Splunk always breaks it u...
...nd apply it to a network input but I'm having a lot of difficulty with linebreaking. The sample data I'm using was gathered by a packet capture, exported as raw data, and added to a text file. It s...
i am trying to break the events in the below data after each pipe (|),placed the props.conf on both UF and HF still doesn't apply
but when I am trying the same props.conf in the UI (add data) b...
...pen again, its the default one ([\n\r]+). If I go on "Events Break" instead and just type my regex it saves. What I'm doing wrong? 2 - It doesn't apply my new sourcetype to my logs. I check on Search-&g...
...ppear correctly formatted. If we go via the universal formatter then messages are coming through with extra linebreaks. It's as if Splunk isn't able to tell where one event stops and another begins.
I...