I have log lines that are really multiple lines of events (JSON in this case, and many events are batch-logged at once). I need Splunk to split them into individual events.
props.conf is where you have to muck around. And, yes, you have to restart splunk any time you make changes there.
Ultimately, this worked for me:
[name_of_my_sourcetype]
LINE_BREAKER = (\n)
SHOULD_LINEMERGE = false
TRUNCATE = 0
#TIME_PREFIX = “Timestamp”:”
#TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
#TZ = UTC
KV_MODE = JSON
I’ve commented out the TIME…. things, but they do set the timestamp of each event to be whatever immediately follows that TIME_PREFIX regex.
No comments:
Post a Comment