https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546134#M5436 <P>Try this:</P><LI-CODE lang="markup">LINE_BREAKER = (\*{22}\n\w+\s\w+\s\w+\sstart\n)</LI-CODE><P>Note that this will not add the below lines to your events:<BR /><STRONG>*********************</STRONG><BR /><STRONG>Windows PowerShell transcript start&nbsp;</STRONG></P> Wed, 31 Mar 2021 06:32:37 GMT manjunathmeti 2021-03-31T06:32:37Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546114#M5433 <P><SPAN>Hello Guys,</SPAN></P><P><SPAN>Below is my initial event and i want to break each from the staring of this event. As i tried various attributes in props.conf but no luck to break the event from this line.</SPAN></P><P><SPAN>I used as of now:</SPAN></P><P><SPAN>LINE_BREAKER =&nbsp;^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s\d{14}</SPAN></P><P><SPAN>TIME_PREFIX =&nbsp;^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s</SPAN></P><P><SPAN>TIME_FORMAT= %Y%m%d%H%M%S</SPAN></P><P>&nbsp;</P><P><SPAN>********************** </SPAN></P><P><SPAN>Windows PowerShell transcript start</SPAN></P><P><SPAN>Start time: </SPAN><SPAN class="h">20210223060505</SPAN></P><P>&nbsp;</P><P><SPAN class="h">Please suggest me what i did wrong in above props.</SPAN></P> Wed, 31 Mar 2021 04:33:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546114#M5433 uagraw01 2021-03-31T04:33:53Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546129#M5434 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/70277">@uagraw01</a>,<BR /><BR /></P><P>The regex configured for<SPAN>LINE_BREAKER&nbsp;</SPAN>must contain a capturing group. Also, set&nbsp;SHOULD_LINEMERGE to false. Restart forwarder once you add these configurations in props.conf.</P><LI-CODE lang="markup">LINE_BREAKER = (\*{22}\n) TIME_PREFIX = \Start\stime\:\s TIME_FORMAT= %Y%m%d%H%M%S SHOULD_LINEMERGE = false</LI-CODE><P>&nbsp;&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Wed, 31 Mar 2021 05:56:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546129#M5434 manjunathmeti 2021-03-31T05:56:24Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546131#M5435 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;It is still not breaking from the second event start from</P><P>&nbsp;</P><P><SPAN>*********************<BR />Windows PowerShell transcript start<BR />Start time:</SPAN></P> Wed, 31 Mar 2021 06:14:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546131#M5435 uagraw01 2021-03-31T06:14:07Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546134#M5436 <P>Try this:</P><LI-CODE lang="markup">LINE_BREAKER = (\*{22}\n\w+\s\w+\s\w+\sstart\n)</LI-CODE><P>Note that this will not add the below lines to your events:<BR /><STRONG>*********************</STRONG><BR /><STRONG>Windows PowerShell transcript start&nbsp;</STRONG></P> Wed, 31 Mar 2021 06:32:37 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546134#M5436 manjunathmeti 2021-03-31T06:32:37Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546173#M5437 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;No luck for this as well</P> Wed, 31 Mar 2021 08:31:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546173#M5437 uagraw01 2021-03-31T08:31:40Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546174#M5438 <P>Can you post some raw data?</P> Wed, 31 Mar 2021 08:34:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546174#M5438 manjunathmeti 2021-03-31T08:34:09Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546177#M5439 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;Below are my raw data</P><P>&nbsp;</P><P>Windows PowerShell transcript end<BR />End time: 20210223060514<BR />**********************</P><P>**********************<BR />Windows PowerShell transcript start<BR />Start time: 20210209051406</P> Wed, 31 Mar 2021 08:48:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546177#M5439 uagraw01 2021-03-31T08:48:47Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546180#M5440 <P>There is an app developed to consume Windows PowerShell transcript logs:<BR />Check this:<BR /><A href="https://github.com/HurricaneLabs/TA-powershell_transcript" target="_blank">https://github.com/HurricaneLabs/TA-powershell_transcript</A></P><P>It is also there in Splunk base:&nbsp;<A href="https://splunkbase.splunk.com/app/4984/#/details" target="_blank">https://splunkbase.splunk.com/app/4984/#/details</A></P><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Wed, 31 Mar 2021 09:11:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546180#M5440 manjunathmeti 2021-03-31T09:11:15Z https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546686#M5496 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;They suggested, use the add-on which they created and i am able to use Add-on directly in my environment. Is there any other approach to break the lines .</P><P>&nbsp;</P><P>SHOULD_LINEMERGE=false<BR />LINE_BREAKER=^[*]+\n[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\nStart\stime\:\s\d{14}<BR />CHARSET=UTF-8<BR />TIME_FORMAT=%Y%m%d%H%M%S</P><P>&nbsp;</P><P>Still it is not breaking</P> Mon, 05 Apr 2021 09:49:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Linebreak/m-p/546686#M5496 uagraw01 2021-04-05T09:49:51Z