I've got my props.conf set up for reading entire files as one event as such:
[sourcetypename]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((*FAIL))
TRUNCATE = 999999999
MAX_EVENTS = 999999999
The file I am reading has multiple timestamps in it, and Splunk will split it into multiple events at every timestamp.
How can I prevent the events from splitting at every timestamp?
↧
How to edit my sourcetype in props.conf to prevent Splunk from splitting events at every timestamp?
↧
