I know this is probably simple, but for some reason I am able to get a line breaker working in Splunk. I am fetching a data source from AWS S3, and multiple events in JSON format are concatenated. e.g.
{"key":"value", {"composite":"result"}}{"something":"else"}
So LINE_BREAKER should match on }{ with the left brace included.
I have SHOULD_LINEMERGE=false and then LINE_BREAKER=(\{.+\})\{ but i loose the closing bracket. The }{ don't have any characters between them (not even a newline), what is the best way to split these?
The LINE_BREAKER attribute requires a capture group, but discards the text that matches the capture group. The solution is to be more creative with the regex.
LINE_BREAKER=\}()\{
Empty capture groups are allowed.
Your comments confuse matters. Are events separated by }{ or by {"key"? The value of LINE_BREAKER should be set to whatever separates events. Once you've established that then you can address the TRUNCATE setting.