https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688677#M19454 <P>Ugh. That's bad. While <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> 's solution should work (you can try to be even more explicit with more precise definition of the timestamp format for linebreaking you'll be getting some ugly trailers to some of your events. Also since these are contents of a json field, some characters will most probably be escaped.</P><P>It would be best if you managed to:</P><P>1) Work with the source side so that you get your event in a more reasonable way (without all this json overhead) - preferred option</P><P>2) If you can't do that, use a pre-processing step in form of an external script/tool/whatever which will "unpack" those jsons and just leave you with raw data.</P> Sat, 25 May 2024 16:09:03 GMT PickleRick 2024-05-25T16:09:03Z https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688575#M19447 <P>{"body":"<FONT color="#FF0000">2024-04-29T20:25:08.175779</FONT> HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XX Logon Failed: Anonymous\n<FONT color="#FF0000">2024-04-29T20:25:10.190339</FONT> HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n<FONT color="#FF0000">2024-04-29T20:25:10.241220</FONT> HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-29T20:25:10.342343 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n","x-opt-sequence-number-epoch":-1,"x-opt-sequence-number":1599,"x-opt-offset":"3642132344","x-opt-enqueued-time":1714422318556}<BR />{"body":"<FONT color="#FF0000">2024-04-24T12:46:29.292880</FONT> HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n<FONT color="#FF0000">2024-04-24T12:46:34.634829</FONT> HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n2024-04-24T12:46:34.651499 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.653643 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n2024-04-24T12:46:34.662636 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.712475 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.723543 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:36.403615 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n","x-opt-sequence-number-epoch":-1,"x-opt-sequence-number":156626,"x-opt-offset":"3560527888816","x-opt-enqueued-time":1713962799368}<BR />{"body":"2024-04-24T01:04:30.375693 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n2024-04-24T01:04:35.034067 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n","x-opt-sequence-number-epoch":-1,"x-opt-sequence-number":156,"x-opt-offset":"355193796","x-opt-enqueued-time":171392067}</P><P>&nbsp;</P><P>&nbsp;</P><P>I have pasted my raw log samples in the above space. Can someone please help me to break these into multiple evnts using props.conf</P><P>I wish to break the lines before each timestamp (highlighted).</P><P>&nbsp;</P><P>Thanks,</P><P>Ranjitha</P> Fri, 24 May 2024 07:00:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688575#M19447 RanjithaN99 2024-05-24T07:00:11Z https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688605#M19450 <P>Try&nbsp;</P> <LI-CODE lang="markup">LINE_BREAKER = ()\d{4}-\d\d</LI-CODE> Fri, 24 May 2024 14:06:27 GMT https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688605#M19450 richgalloway 2024-05-24T14:06:27Z https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688677#M19454 <P>Ugh. That's bad. While <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> 's solution should work (you can try to be even more explicit with more precise definition of the timestamp format for linebreaking you'll be getting some ugly trailers to some of your events. Also since these are contents of a json field, some characters will most probably be escaped.</P><P>It would be best if you managed to:</P><P>1) Work with the source side so that you get your event in a more reasonable way (without all this json overhead) - preferred option</P><P>2) If you can't do that, use a pre-processing step in form of an external script/tool/whatever which will "unpack" those jsons and just leave you with raw data.</P> Sat, 25 May 2024 16:09:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Line-breaking-using-props-conf/m-p/688677#M19454 PickleRick 2024-05-25T16:09:03Z