Hello;
I found a problem breaking multiline events in Splunk. I need to break events that have this format:
Events: {"ext, "aaaaaaaaaaaaaaaaaaaaa","":"2"}< >{""ext, "aaaaaaaaaaaaaaaaaaaaa","":"3"}
In the props.conf file, I added these lines, but it's not breaking those events:
[stash]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
BREAK_ONLY_AFTER = (}< >)
SHOULD_LINEMERGE = TRUE
I will appreciate all your help!
Thank you
... View more