topic Issue with event Line Breaking in Splunk Enterprise

Issue with event Line Breaking

SplunkExplorer — Thu, 02 May 2024 15:36:12 GMT

Hi Splunkers, I have an inssue with a line breaking use case. I know it is very simple to fix, but I still have the problem, so there is something I'm not getting in the right way.
First, a little bit of info about env.

Log source: custom application
Input type: File monitor Input
File monitoring: via UF, so a deployed app has been deployed with a DS
Final flow: Log Source with UF -> HF -> Splunk Cloud
Data are ingested? Yes.

Issue: once log are collected, we got a unique big log. So, we need to separate logs in different events. So I thought: Ok fine, I did a lot of custom addon, I know how do do it. By the way, I did not performed initial configuration about UF, so I check related deployed app and logs . That's the summary:

Single event ends with "platform":"ArcodaSAT"}
UF deployed app is very simple: it has an app.conf, an inputs,.conf and a props.conf.
inputs.conf file works fine due logs are ingested from the right source
Below, settings in I found in props.conf:

[<sourcetype_name>]
CHARSET=AUTO
LINE_BREAKER = (\"platform\"\:\"ArcodaSAT\"\})
SHOULD_LINEMERGE = true

Observation:

Regex is fine; I tested it on regex101 with a log sample and it catch fine.
I tried, in the LINE_BREAKER, both using round brackets - cause documentation say that parameter use the capture group to check where new log starts - and without. Same result.
SHOULD_LINEMERGE has be set both as true and false: same result

Let me say again: I know this is some nonsense I'm missing, but I can't find it.

Re: Issue with event Line Breaking

marnall — Thu, 02 May 2024 18:24:20 GMT

The props.conf file should be on the machine that is parsing your logs. If your log path is UF->HF->Cloud, then likely the HF machine is the one doing the parsing, and it should have the props.conf file, not the UF.

Also, keep in mind that the first capture group of LINE_BREAKER is discarded. It is intended to capture the filler characters that occur between distinct events. If you would like to keep "platform":"ArcodaSAT"} as part of the first event, then it should not be in a capture group. Try this:

LINE_BREAKER = \"platform\"\:\"ArcodaSAT\"\}()

For SHOULD_LINEMERGE, this would be better set as FALSE unless you would like events to be recombined to make bigger events. If your LINE_BREAKER above works well to separate distinct events, then SHOULD_LINEMERGE should be false

SHOULD_LINEMERGE = false

Re: Issue with event Line Breaking

richgalloway — Thu, 02 May 2024 18:31:14 GMT

The LINE_BREAKER attribute requires at least one capture group and the text that matches the first capture group will be discarded and replaced with a event break. Knowing this and that an empty capture group is allowed, try these settings:

[<sourcetype_name>] CHARSET=AUTO LINE_BREAKER = "platform":"ArcodaSAT"\}() SHOULD_LINEMERGE = false