Hello,
I have a problem with merging events: I search in this forum's posts and documentation and tried a lot of combinations, but never worked!
**My config:** Test environment = Splunk v5 on a single machine (indexer and search head are on the same machine)
**My log:**
![alt text][1]
**My problem:** Splunk treats each line as an event
**What I want:** Event just for line which have "...New SMTP ICID...", so with the 6 lines above, I should have 2 events
![alt text][2]
PROPS.CONF tested:
Tried with different LINE_BREAKER (All tested on regex101 with success)
[iron_log]
TIME_PREFIX = ^<\d\d>
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
LINE_BREAKER = ^.*New SMTP ICID.*
#LINE_BREAKER = ^<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
#LINE_BREAKER = ([\r\n]+)<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
SHOULD_LINEMERGE = false
TRUNCATE = 999999
Try with SHOULD_LINEMERGE and MUST_BREAK_AFTER
[iron_log]
MUST_BREAK_AFTER = ^.*New
#MUST_BREAK_AFTER = ^<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 15
TIME_PREFIX = ^<\d\d>
Tried without SHOULD_LINEMERGE
[iron_log]
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = ^.*New
#MUST_BREAK_AFTER = ^<\d\d>.{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s[^\:]+:\s[^\:]+:\sNew SMTP ICID
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 15
TIME_PREFIX = ^<\d\d>
I always have one event per line. (I restarted Splunk for each modification and there is no error during the boot check)
If someone has an idea, it would be great!
Thanks by advance
[1]: /storage/temp/76209-log1.png
[2]: /storage/temp/76210-log2.png
↧
