https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468484#M1788 <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = .*($) </CODE></PRE> <P>if <CODE>SHOULD_LINEMERGE = false</CODE> , <CODE>LINE_BREAKER</CODE> works.</P> <P><CODE>.*($)</CODE> is intended to be the end of the event.</P> Sat, 04 Apr 2020 22:34:58 GMT to4kawa 2020-04-04T22:34:58Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468480#M1784 <P>[ANSWERED by to4kawa]</P> <P>props.conf should be</P> <PRE><CODE>[yoursourcetype] DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = false LINE_BREAKER = .*($) </CODE></PRE> <P>I have a Catch 22 issue. I want three things to happen.</P> <OL> <LI>I want to monitor a log file and to <STRONG>combine all lines into a single event</STRONG> until the file is not updated for 2 seconds or more.</LI> <LI>I want to <STRONG>disable all time extraction</STRONG>, I want all the time set to current (ie _indextime).</LI> <LI>Being able to handle arbitrary data <STRONG>without any separators</STRONG>.</LI> </OL> <P>Imagine my file is empty and then within a microsecond these three lines are added to my file.</P> <PRE><CODE>TEST1 Fri Apr 6 20:05:59 EDT 2020 TEST2 Fri Apr 3 20:04:30 EDT 2020 TEST3 Fri Apr 1 20:05:59 EDT 2020 </CODE></PRE> <P>I would like them all to be combined into a single event. And I want the timestamp to be set to current.</P> <P>If I just just start monitoring the file without any props it combines the events into a single one just fine. BUT it will try to parse the timestamps and they will be all over the place. If I mod props.conf and set DATETIME_CONFIG=CURRENT it will set the time to the current one but then split the events into single lines.</P> <P>So I am in a catch 22, I can have one or the other. Any ideas what inputs/props/transforms combo I can have that ignores all time stamps, and combines the events into a single one no matter what.</P> <P>I honestly want something that checks if file has not been modified for 2 seconds and then combine everything new that was added into <STRONG>ONE</STRONG> event.</P> <P>Thanks!</P> Mon, 08 Jun 2020 21:33:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468480#M1784 ifeldshteyn 2020-06-08T21:33:48Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468481#M1785 <P><CODE>until the file is not updated for 2 seconds or more.</CODE><BR /> what's inputs.conf?<BR /> this is not pops.conf issue.</P> Sat, 04 Apr 2020 02:55:42 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468481#M1785 to4kawa 2020-04-04T02:55:42Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468482#M1786 <P>These settings should help. Adjust the <CODE>TRUNCATE</CODE> and <CODE>MAX_EVENTS</CODE> settings as appropriate for your data.</P> <P>inputs.conf:</P> <PRE><CODE>[monitor://my/file] multiline_event_extra_waittime = true time_before_close = 2 sourcetype = foo index = bar </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[foo] DATETIME_CONFIG = current SHOULD_LINEMERGE = true TRUNCATE = 10000 MAX_EVENTS = 256 </CODE></PRE> Sat, 04 Apr 2020 12:45:37 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468482#M1786 richgalloway 2020-04-04T12:45:37Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468483#M1787 <P>Hi Rich,</P> <P>I just tried this. </P> <P>INPUTS.CONF</P> <PRE><CODE> [monitor:///tmp/test3.log] disabled = false sourcetype = mytest multiline_event_extra_waittime = true time_before_close = 2 </CODE></PRE> <P>PROPS.CONF</P> <PRE><CODE>[mytest] DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = true TRUNCATE = 10000 MAX_EVENTS = 256 </CODE></PRE> <P>I've added </P> <PRE><CODE>TEST8 Fri Apr 6 21:05:59 EDT 2020 TEST8 Fri Apr 3 21:04:30 EDT 2020 TEST8 Fri Apr 1 21:05:59 EDT 2020 </CODE></PRE> <P>But they came as separate events on Splunk 8.</P> <P><IMG src="https://i.imgur.com/aYhZLiF.png" alt="alt text" /></P> Sat, 04 Apr 2020 22:01:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468483#M1787 ifeldshteyn 2020-04-04T22:01:21Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468484#M1788 <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = .*($) </CODE></PRE> <P>if <CODE>SHOULD_LINEMERGE = false</CODE> , <CODE>LINE_BREAKER</CODE> works.</P> <P><CODE>.*($)</CODE> is intended to be the end of the event.</P> Sat, 04 Apr 2020 22:34:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468484#M1788 to4kawa 2020-04-04T22:34:58Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468485#M1789 <P>That's perfect, thank you! The below came together as one event AND the timestamp is auto set to current. </P> <PRE><CODE>4/4/20 7:09:02.000 PM TEST11 Fri Apr 6 22:05:59 EDT 2020 TEST11 Fri Apr 3 22:04:30 EDT 2020 TEST11 Fri Apr 1 22:05:59 EDT 2020 </CODE></PRE> <P>Appreciate your time</P> Sat, 04 Apr 2020 23:20:30 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468485#M1789 ifeldshteyn 2020-04-04T23:20:30Z https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468486#M1790 <P>your welcome<BR /> <CODE>.*($)</CODE> is OK, I recognized it, too.</P> Sun, 05 Apr 2020 00:25:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/Multiline-Event-Breaking-and-Current-Time/m-p/468486#M1790 to4kawa 2020-04-05T00:25:45Z