@DMohn - If you see the logs properly, the event starts with "SNMPv2-SMI::enterprises", and ends with third "space", in between there are 2 spaces.
e.g :
SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0"
so ideally, we need to break at the last "Space" of that event i.e. third space. I have attached the image for the event and marked the space with red where line break should occur.
https://ibb.co/cCqSsXg
How do we write the capture regex for that ?
Strange behaviour is when we export sample raw logs and upload from local manually, the suggested regex works. But when we put that on HF, it does not works. We are restarting splunk after the change on HF.
... View more