I am looking to break out the raw data below to individual events instead of all in one event. I have passed SHOULD_LINEMERGE in the props.conf file, however I am not seeing the expected results. Once I resolve the line break issue, I can map the fields properly, separated by pipe (shown below) Any suggestions would be greatly appreciated.
[monitor:///y3100/running/SPLUNK_VOLBIL_DATA.DAT]
disabled = false
index = VOLBIL
sourcetype = SPLUNK_VOLBIL_DATA.DAT
props.conf
[SPLUNK_VOLBIL_DATA.DAT]
SHOULD_LINEMERGE = false
_raw events:
03/07/2017|10:00:37|Splunk Vol/Bill Data
02/28/2017|*|CIF|0|999|||||||||||2|2||
02/28/2017|D|CD|3500|PPB|250|250|||6||250|250|89|89||||
02/28/2017|D|CD|3501|PPB|25|25|||2||25|25|13|13||||
02/28/2017|D|DDA|4100|PPB|1|1|||||1|1||||||
02/28/2017|D|SAV|3000|PPB|888|888|||14|2|888|888|219|219||||
02/28/2017|D|SAV|3001|PPB|67|67|||||67|67|14|14||||
custom fields: (once I figure out line break issue)
Processing_Date|Product_Class|Billing-Volume_Category|Product_Type|Company_Code|Volume_Activity_Totals|Billing_Activity_Totals|Volumes_Inactive_Totals|Billing_Inactive_Totals|Volumes_Closed_Totals|Billing_Closed_Totals|Volumes_Open_Totals|Billing_Open_Totals|Volumes_New_Origination_Totals|Billing_New_Origination_Totals|Volumes_Cif_Not_Tied_to_Profile_Totals|Billing Cif_Not_Tied_to_Profile_Totals|Volumes_Re-opened_Totals|Billing_Reopened_Totals
↧