Hello!
Our application creates a log file a day. In the log file, every line is divided into a separate event. I am trying to have Splunk merge all the lines into one event. Simple right? Not in my case apparently.
At the end of the log is this text: **Batch tasks have been completed. To finish press any key.**
Example:
"Upload of C:\OESP_DATA\Feeds\Daily\MOF\request\ESPIncReq_P_3119_20160826_T014444.xml.ent succeeded
Finished building request for MOF.........
Finished putting files........
**Batch tasks have been completed. To finish press any key."**
So I have added this stanza to my props.conf on the indexer:
[wrkflowsched_log]
SHOULD_LINEMERGE = True
MUST_NOT_BREAK_BEFORE = Batch tasks have been completed
I have also tried this regex for the MUST_NOT_BREAK_BEFORE statement:
MUST_NOT_BREAK_BEFORE = /Batch tasks have been completed. To finish press any key/
(Which seems to match up at regexr.com)
wrkflowsched_log is the sourcetype
I then proceed to restart the indexer and write a new file in the targeted log directory on the source. I write some text, save it and then write another line and save it. Repeatedly every line shows as a new event even though I have not written the **Batch tasks have been completed** statement.
I have verified there is no props.conf in the local folder on the source.
Any thoughts?
Thanks!
AlexW
↧