I want my logs to be indexed as follows :-
EVENT-1 THIS IS SOME LINE
New line 1
New line 2
New line 3
New line ..
New line ..
New line 21
EVENT-2 THIS IS SOME LINE
New line 1
New line 2
New line 3
New line ..
New line ..
New line 21
**But they get Indexed like :**
EVENT-1 THIS IS SOME LINE
New line 1
New line 2
New line 3
EVENT-2
New line ..
New line ..
New line 21
EVENT-3 THIS IS SOME LINE
New line 1
New line 2
New line 3
EVENT-4
New line ..
New line ..
New line 21
Basically its givining a LINE BREAK after a fixed set of lines instead of what I have configured in props.conf.
How can I increase the number of lines/events that can be grouped together in one event ?
I used the following props.conf
[punchout]
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\r\n]+)\[\w+\]\s\[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}\].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TIME_FORMAT =%m/%d/%Y %H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = \[
TRUNCATE = 0
MAX_EVENTS = 20000
↧