With multi-line logs, I am trying to linebreak on an obvious linebreaker of dashes (----------------------------------------------------------). (Note in the below examples it appears to be coming across as a whole line, but it should be like above).
**Example log:**
ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84
EventId : 300
Keywords : 4
Level : Informational
Message : Application information
Opcode : Info
Task : 65234
Version : 0
Payload : Generic information
EventName : InfoInfo
ProcessId : 6528
ThreadId : 12524
Timestamp : 2019-08-30 12:32:50 PM
----------------------------------------------------------
I've tried various regex expressions, one such as **^(\s+)-+(\s+)$** to break on the line, but the results don't seem to work. Also Splunk seems to interpret the Timestamp as the beginning of the log but it is actually the last part of the log before the linebreak.
In general Splunk will display the events as (note the Timestamp is first, but it should be last):
**Example results:**
Timestamp : 2019-08-30 12:32:50 PM
----------------------------------------------------------
ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84
EventId : 300
Keywords : 4
...
↧