I have a log file of properly formatted JSON events, but the event break is not working properly. Sometimes it separates the JSON into separate events, sometimes it does not. There doesn't seem to be any rhyme or reason to this.
I tried the solution here: https://answers.splunk.com/answers/80741/event-break-json.html but it did not work. I am unable to restart Splunk at this time, however, but my understanding is that I shouldn't need to. (Please correct me if I'm wrong.)
Here's my props.conf entry:
[s-web]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false
Here's a sample event:
{"pid":17156,"hostname":"sub.hostname.com","name":"s-undefined","level":30,"time":1515143225539,"remoteAddr":"::ffff:99.99.99.99","remoteAddrs":[],"method":"GET","url":"/","sessionId":"abcd2b32-00e8-4e0b-97f6-23abcdef3233e","v":1}
Am I missing something here?
Thank you in advance for your assistance!
↧