https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689344#M19491 <P>Hi everyone, I have a problem with the line-break in Splunk.&nbsp;I have tried following the methods as in other posts.&nbsp;<BR />Here is my props.conf<BR />[test1:sec]<BR />SHOULD_LINEMERGE=false<BR />LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=AUTO<BR />disabled=false<BR />TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%9QZ<BR />TIME_PREFIX=&lt;TimeCreated SystemTime='<BR /><BR />when I applied this sourcetype in raw windows, it work. but after I finished, it was one event<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-06-03_113906.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31108i4F92E7068BD6CDE6/image-size/large?v=v2&amp;px=999" role="button" title="2024-06-03_113906.png" alt="2024-06-03_113906.png" /></span><BR /><BR /><BR />raw windows</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thangs4_0-1717389331887.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31107i2375D9FCF3129DDB/image-size/medium?v=v2&amp;px=400" role="button" title="thangs4_0-1717389331887.png" alt="thangs4_0-1717389331887.png" /></span><BR />#line-break</P><P>&nbsp;</P> Mon, 03 Jun 2024 04:44:45 GMT thangs4 2024-06-03T04:44:45Z https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689344#M19491 <P>Hi everyone, I have a problem with the line-break in Splunk.&nbsp;I have tried following the methods as in other posts.&nbsp;<BR />Here is my props.conf<BR />[test1:sec]<BR />SHOULD_LINEMERGE=false<BR />LINE_BREAKER=([\r\n]+)<BR />NO_BINARY_CHECK=true<BR />CHARSET=AUTO<BR />disabled=false<BR />TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%9QZ<BR />TIME_PREFIX=&lt;TimeCreated SystemTime='<BR /><BR />when I applied this sourcetype in raw windows, it work. but after I finished, it was one event<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-06-03_113906.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31108i4F92E7068BD6CDE6/image-size/large?v=v2&amp;px=999" role="button" title="2024-06-03_113906.png" alt="2024-06-03_113906.png" /></span><BR /><BR /><BR />raw windows</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thangs4_0-1717389331887.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31107i2375D9FCF3129DDB/image-size/medium?v=v2&amp;px=400" role="button" title="thangs4_0-1717389331887.png" alt="thangs4_0-1717389331887.png" /></span><BR />#line-break</P><P>&nbsp;</P> Mon, 03 Jun 2024 04:44:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689344#M19491 thangs4 2024-06-03T04:44:45Z https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689345#M19492 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268597">@thangs4</a>&nbsp;,<BR /><BR />From your second screenshot it doesn't look like the events are being parsed correctly. It looks like there wasn't a clean break between the events, and a timestamp wasn't extracted from the first event.&nbsp;</P><P>Try using these settings in props.conf on your indexer/HF to explicitly break events before/after the &lt;Event&gt; and &lt;/Event&gt; tags:</P><LI-CODE lang="markup">KV_MODE=xml TRUNCATE = 0 SHOULD_LINEMERGE = false LINE_BREAKER=([\r\n]+)\&lt;Event\sxmlns TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9QZ TIME_PREFIX=&lt;TimeCreated SystemTime=' MUST_BREAK_AFTER = \&lt;\/Event\&gt; NO_BINARY_CHECK=true CHARSET=AUTO disabled=false</LI-CODE> Mon, 03 Jun 2024 05:08:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689345#M19492 KendallW 2024-06-03T05:08:53Z https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689376#M19495 <P>Thank you for your reply,</P><P>First, let me talk a little bit about my setting. I used regex101 to check the line-break in my config. About the timestamp, it matched with all the events.</P><P>I just tried your settings, it did not work. of course, props.conf in /system/local and restart Splunk. Any other ideas, sir?</P> Mon, 03 Jun 2024 06:57:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689376#M19495 thangs4 2024-06-03T06:57:18Z https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689467#M19501 <P>Here's a couple of things to check:<BR />1. Check the settings you have set in props.conf are actually being applied to the sourcetype:</P><LI-CODE lang="markup">$SPLUNK_HOME/bin/splunk cmd btool props list test1:sec</LI-CODE><P>2. Check in the _internal logs for errors related to parsing for this sourcetype:</P><LI-CODE lang="markup">index=_internal splunk_server=* source=*splunkd.log* (component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose) (log_level=WARN OR log_level=ERROR) data_sourcetype="test1:sec"</LI-CODE><P>&nbsp;</P> Tue, 04 Jun 2024 01:06:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689467#M19501 KendallW 2024-06-04T01:06:57Z https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689500#M19505 <P>Where did you put your props.conf? (on which component)</P><P>And what does your ingest process look like? Because that's apparently not data from a windows eventlog input.</P> Tue, 04 Jun 2024 07:58:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/event-cannot-break-line/m-p/689500#M19505 PickleRick 2024-06-04T07:58:45Z