From the props.conf documentation:
LINE_BREAKER =
* Specifies a regex that determines how the raw text stream is broken into
initial events, before line merging takes place. (See the SHOULD_LINEMERGE
setting, below)
* Defaults to ([\r\n]+), meaning data is broken into an event for each line,
delimited by any number of carriage return or newline characters.
* The regex must contain a capturing group -- a pair of parentheses which
defines an identified subcomponent of the match.
* Wherever the regex matches, Splunk software considers the start of the first
capturing group to be the end of the previous event, and considers the end
of the first capturing group to be the start of the next event.
* The contents of the first capturing group are discarded, and will not be
present in any event. You are telling Splunk software that this text comes
between lines.
So the first capture group matches and discards the return/new line but then you need to identify the start of the event not just create a new event at each new line. Since Splunk discards the contents of the first capture group you need to create a second that won't be discarded.
In this case @somesoni2 wrote the second part as an assertion rather than a capture group. You can read about the difference here. You can remove the ?= and it should work as well.
If it's working for you make sure you mark this correct. @somesoni2 did 99% of the work I just corrected a minor mistake.
... View more