This is a long question.
We have a Heavy Forwarder and an Indexer cluster (managed through indexer cluster master.) I have a scripted input that pulls some data which is in "array of json" format. To remove the complication of array of jason, I am using SEDCMD, which works perfect. But my LINE_BREAKER does not work.
The custom add-on which has the input is hosted on the Heavy Forwarder and the props.conf is present on both HF as well as Indexers. The props.conf works perfect if I upload the data to a Single Instance Splunk Enterprise but does not work in HF--> Indexer scenario.
I have tried implementing combinations of the props.conf on both HF and Indexers, but LINE_BREAKER does not work.
Below my props.conf, I have used several combinations of the LINE_BREAKER as well as MUST_BREAK_AFTER (LINE_MERGE = TRUE)
[testdata_api]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
#LINE_BREAKER = ((?
↧