https://community.splunk.com/t5/Splunk-Enterprise/help-with-setting-Line-Breaker-and-Event-Time-needed/m-p/527915#M4072 <P>Hello,</P><P>&nbsp;</P><P>I have following security log entries:</P><LI-CODE lang="python">*********************************************************************************** ****** SECURITY WARNING ****** *********************************************************************************** Wed Nov 4 04:39:25 2020 Error: Permission denied (-13), Access denied [http_rewrite.c 4012] CONNECTION (id=2738/2739): used: 1, type: default, role: Server(1), stateful: 0 nihdl: -1, ssl: (nil), protocol: HTTPS(2) local host: XXX:42217 () remote host: XXX:443 () - (-) system: proxy prot local host: XXX:443 own remote host: XXX:35636 [Thr 140203996280576] Address Offset REQUEST: [Thr 140203996280576] ------------------------------------------------------------------------ [Thr 140203996280576] 7f83d21ec910 000000 47455420 2f666176 69636f6e 2e69636f |GET /favicon.ico| [Thr 140203996280576] 7f83d21ec920 000016 20485454 502f312e 310d0a68 6f73743a | HTTP/1.1..host:| .... .... [Thr 140203996280576] 7f83d21ecce0 000976 702d7561 2d70726f 746f636f 6c3a2068 |p-ua-protocol: h| [Thr 140203996280576] 7f83d21eccf0 000992 74747073 0d0a0d0a |ttps.... | [Thr 140203996280576] ------------------------------------------------------------------------ ***********************************************************************************</LI-CODE><P>&nbsp;</P><P>Then they repeat in the above format.</P><P>How and where (which config file) would I set the correct line breaking and event time setting?</P><P>Kind Regards,</P><P>Kamil&nbsp;</P> Wed, 04 Nov 2020 13:23:36 GMT damucka 2020-11-04T13:23:36Z https://community.splunk.com/t5/Splunk-Enterprise/help-with-setting-Line-Breaker-and-Event-Time-needed/m-p/527915#M4072 <P>Hello,</P><P>&nbsp;</P><P>I have following security log entries:</P><LI-CODE lang="python">*********************************************************************************** ****** SECURITY WARNING ****** *********************************************************************************** Wed Nov 4 04:39:25 2020 Error: Permission denied (-13), Access denied [http_rewrite.c 4012] CONNECTION (id=2738/2739): used: 1, type: default, role: Server(1), stateful: 0 nihdl: -1, ssl: (nil), protocol: HTTPS(2) local host: XXX:42217 () remote host: XXX:443 () - (-) system: proxy prot local host: XXX:443 own remote host: XXX:35636 [Thr 140203996280576] Address Offset REQUEST: [Thr 140203996280576] ------------------------------------------------------------------------ [Thr 140203996280576] 7f83d21ec910 000000 47455420 2f666176 69636f6e 2e69636f |GET /favicon.ico| [Thr 140203996280576] 7f83d21ec920 000016 20485454 502f312e 310d0a68 6f73743a | HTTP/1.1..host:| .... .... [Thr 140203996280576] 7f83d21ecce0 000976 702d7561 2d70726f 746f636f 6c3a2068 |p-ua-protocol: h| [Thr 140203996280576] 7f83d21eccf0 000992 74747073 0d0a0d0a |ttps.... | [Thr 140203996280576] ------------------------------------------------------------------------ ***********************************************************************************</LI-CODE><P>&nbsp;</P><P>Then they repeat in the above format.</P><P>How and where (which config file) would I set the correct line breaking and event time setting?</P><P>Kind Regards,</P><P>Kamil&nbsp;</P> Wed, 04 Nov 2020 13:23:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/help-with-setting-Line-Breaker-and-Event-Time-needed/m-p/527915#M4072 damucka 2020-11-04T13:23:36Z https://community.splunk.com/t5/Splunk-Enterprise/help-with-setting-Line-Breaker-and-Event-Time-needed/m-p/528515#M4104 <P>I managed to solve it with the below configuration:</P><LI-CODE lang="python">[webdispatcher] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true LINE_BREAKER= \*{83}\n\*{6} {30}SECURITY WARNING {25}\*{6}\n\*{83}</LI-CODE> Mon, 09 Nov 2020 11:01:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/help-with-setting-Line-Breaker-and-Event-Time-needed/m-p/528515#M4104 damucka 2020-11-09T11:01:04Z