I have a log that starts each event by a new line starting with a timestamp followed by a space and pipe, like the following:
2016-04-01T02:55:24.030 |
I have tried setting up props.conf with a new sourcetype, first trying BREAK_ONLY_BEFORE, then LINE_BREAKER. They both seem to work most of the time, but I am still finding chunks of several events lumped into one. I inspected the clumping events in the logs manually, expecting missing line end characters or some other red flag, but haven't found any real reason why the line break isn't working.
BREAK_ONLY_BEFORE:
[newsource]
BREAK_ONLY_BEFORE=([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]*\s+\|)
SHOULD_LINEMERGE=true
MAX_EVENTS=1000000
TRUNCATE=0
(Note: I have also tried this without the regex wrapped as a group)
LINE_BREAKER:
[newsource]
LINE_BREAKER=([\r\n]+)([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]*\s+\|)
SHOULD_LINEMERGE=false
TRUNCATE=0
(I have also tried this without the timestamp portion group-wrapped)
Any ideas why I'm getting these random clusters of events which should be separated?
Thanks!
(Using Splunk universal forwarder 6.2.3)
↧