https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40913#M13789 <P>I am very new to Splunk and this may be a rookie question but I cannot find this anywhere. I have a custom generated demo log file with 1000 similarly structured lines. For some reason, Splunk reads in the first 257 lines as one event, and then the next 743 lines as separate events.</P> <P>I figured it had something to do with either LINE _ BREAKER or MAX _ EVENTS but the strange thing is that it's not consistent. I would be less surprised if it grouped all my events per 257 in stead of just the first 257 and then single event per line from there on.</P> <P>Could it perhaps have something to do with the fact that I don't have a timestamp added yet?</P> Tue, 21 May 2013 12:38:05 GMT vanaepi 2013-05-21T12:38:05Z https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40913#M13789 <P>I am very new to Splunk and this may be a rookie question but I cannot find this anywhere. I have a custom generated demo log file with 1000 similarly structured lines. For some reason, Splunk reads in the first 257 lines as one event, and then the next 743 lines as separate events.</P> <P>I figured it had something to do with either LINE _ BREAKER or MAX _ EVENTS but the strange thing is that it's not consistent. I would be less surprised if it grouped all my events per 257 in stead of just the first 257 and then single event per line from there on.</P> <P>Could it perhaps have something to do with the fact that I don't have a timestamp added yet?</P> Tue, 21 May 2013 12:38:05 GMT https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40913#M13789 vanaepi 2013-05-21T12:38:05Z https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40914#M13790 <P>Yes. If there is no timestamp Splunk will have problems to automatically create/break events.</P> <P>If you <EM>really</EM> want to index the events anyway you should set the following in props.conf;</P> <PRE><CODE>[your sourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) DATETIME_CONFIG = CURRENT </CODE></PRE> <P>Read more about that here:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> <P>/k</P> Tue, 21 May 2013 12:48:53 GMT https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40914#M13790 kristian_kolb 2013-05-21T12:48:53Z https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40915#M13791 <P>Try the truncate option in the props.conf stanza for the sourcetype. Truncate is needed when the file you're consuming is abnormally large or the lines in the file are abnormally long (no line breaks etc). From the <A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Indexmulti-lineevents">doc</A>, "Change the default maximum line length (in bytes)"</P> <P>For instance, if you were to consume the applicationHost.config files for IIS servers you could use the following stanza in props.conf:</P> <PRE><CODE>[iisconfig] SHOULD_LINEMERGE = True MAX_EVENTS = 400960 LINE_BREAKER = &lt;/configuration&gt; NO_BINARY_CHECK = true TRUNCATE = 1000000 </CODE></PRE> <P>And in inputs.conf:</P> <PRE><CODE>[monitor://C:\Windows\System32\inetsrv\config\applicationHost.conf] disabled = 0 host = hostname index = main sourcetype = iisconfig crcSalt = &lt;SOURCE&gt; </CODE></PRE> Tue, 21 May 2013 14:32:44 GMT https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40915#M13791 jkat54 2013-05-21T14:32:44Z https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40916#M13792 <P>Who down voted my solution? It would solve his problem if his issue was long lines. The issue that truncate solves can be explained the exact same way he explained his problem. So without a example of the data he's consuming both answers could be correct.</P> Tue, 21 May 2013 18:30:47 GMT https://community.splunk.com/t5/Security/Inconsistent-line-breaking/m-p/40916#M13792 jkat54 2013-05-21T18:30:47Z