Sample Data: {{"device_id":"a1c842ef8c0545f48e8e61d3e03c68bb","ip":"192.168.193.162","topic":"DEVICE","event":"device.access", "timestamp":"2015-05-05T20:55:30.904+0000"}}
I want to break this into two separate events using }} as a delimiter:
{{"device_id":"a1c842ef8c0545f48e8e61d3e03c68bb","ip":"192.168.193.162","topic":"DEVICE","event":"device.access", "timestamp":"2015-05-05T20:55:30.904+0000"}}
AND
{{"source":{"email":"johndoe@acme.com"}, "name":"John Doe"},"topic":"FILE","event":"file.create","timestamp":"2015-05-05T20:55:31.428+0000"}}
I created a props.conf file in $SPLUNK_HOME/etc/system/local , added the following lines, and restarted splunkd, but it didn't work.
SHOULD_LINEMERGE = false
LINE_BREAKER = (}})
Any help would be much appreciated!
... View more