Hello,
I'm getting input from a log file the contents of which are a long listing a directory containing .rpm files. When I search on the source or sourcetype I get a singe event for every line in the log file. When I search on the index I directed the input to go to, it lumps entries together:
-rw------- 1 root root 1.2M Sep 3 13:17 cyrus-sasl-2.1.22-7.el5_8.1.x86_64.rpm
-rw------- 1 root root 127K Sep 3 13:15 cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm
Is one event instead of two.
props.conf looks like this:
[sourcetype::RHEL_mon_log]
MUST_BREAK_AFTER = <\Q.rpm\E>
SHOULD_LINEMERGE=true
Any suggestions?
... View more