About BlakeDC

BlakeDC · ‎05-13-2016

I added a "`n" to the end of the output file so each line now has a hard break inserted. It shows up now but it's still just one single event instead of an event for each line 😞 It basically thinks I have 300 fields in this log and I can't parse!

BlakeDC · ‎05-13-2016

It's a powershell output to a file. It's basically all the lines at once. I've tried to default which you pasted above but when I do that no data is showing up in splunk 😞

BlakeDC · ‎05-13-2016

ComputerTarget=EDITED; NeededCount=31; DownloadedCount=0; NotApplicableCount=82225; NotInstalledCount=31; InstalledCount=32; FailedCount=0 ComputerTarget=EDITED; NeededCount=202; DownloadedCount=0; NotApplicableCount=81555; NotInstalledCount=202; InstalledCount=154; FailedCount=0 ComputerTarget=EDITED; NeededCount=203; DownloadedCount=0; NotApplicableCount=81921; NotInstalledCount=203; InstalledCount=156; FailedCount=0 This is my data source. I have it setup in props.conf to linebreak after FailedCount=####### but it doesn't seem to be working (data never reaches Splunk unless I remove the props settings). Here's my props: [NeededCount] CHARSET = UTF-16LE is_valid = True SHOULD_LINEMERGE = True MUST_BREAK_AFTER = (FailedCount=\d{1,10}) I need help in making sure it'll break after that failedcount=#### so that each line shows up in Splunk as its own event and not just a giant event of 130+ lines.

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎05-13-2016

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

How do I line break this data source?

Re: How do I line break this data source?

Re: How do I line break this data source?

How do I line break this data source?

Join the Conversation

How do I line break this data source?

Re: How do I line break this data source?

Re: How do I line break this data source?

How do I line break this data source?