@somsoni2: have tried the below and it looks like it's basically just changed the groupings on the events, the events are being broken more often but I still see the odd event like this, where the linebreaking is just being ignored: 12/10/2015 12:33:18,779 INFO fileupload - sessionDestroyedListener running for USER04 12/10/2015 12:33:18,785 INFO fileupload - null has got session timeout page @rphillips: The setup is basically a two node cluster on Splunk 6.2.5, _cluster/local/props.conf is updated in master-apps, I then use the GUI to distribute the bundle to the cluster peers, make sure the slave-apps has been updated on the indexer and check to see if the linebreaking is applied. Have also tried the regex you provided and the linebreaking show no change to somesoni's. ... View more

this works like a champ! thanks! ... View more

I spent far too long trying to figure out why we were getting entries like the ones below -- editing the inputs.conf in the /local directory was it! [CRITICAL] [rpcstart.py] The java path does not exist: /usr/lib/jvm/jre [CRITICAL] [rpcstart.py] RPC server has been terminated abnormally with error [Invalid java path.]. ... View more

Still wouldn't work till I upgraded till the latest version of Splunk. Can confirm that "checkbox" works now as well, so it does need 6.1 ... View more

so length seems to be an issue (hur hur), I'm trying to extract 35 fields, so the line in props is pretty long. When I test it using only the first five fields, it works and extracts these fields as it should. Is there a limit to the number of fields to be extracted in props....? am I reaching a character limit meaning the whole line is ignored? ... View more