Hi everyone,
I've got an application sending data to splunk, which are split over multiple lines instead to keep everything on the same line.
When I redirect my data to a file instead of splunk, I can find that the ascii code #012 is sent as part of the string.
**Example:**
... #012Change details : #012filewrite#012 ...
**Which are split in multiples lines in splunk:**
...
9/29/16 3:25:30.000 AM filewrite
host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog
9/29/16 3:25:30.000 AM Change details :
host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog
...
Is there any way to replace the ASCII code #012 before to index it into splunk ?
I've try to add this config in my props.conf, but it did not solved it.
[syslog]
LINE_BREAKER=#012
SHOULD_LINEMERGE=true
And also this one:
[syslog]
SEDCMD-fim = s/\#012/ /g
Thanks for your support.
↧