https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48809#M22158 <P>I know, I had a co-worker of mine who's more knowledgeable than I take a look and he was confused as well.</P> Fri, 01 Mar 2013 18:48:37 GMT Daniel_Edwards 2013-03-01T18:48:37Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48807#M22156 <P>Hello,</P> <P>I'm getting input from a log file the contents of which are a long listing a directory containing .rpm files. When I search on the source or sourcetype I get a singe event for every line in the log file. When I search on the index I directed the input to go to, it lumps entries together:</P> <PRE><CODE>-rw------- 1 root root 1.2M Sep 3 13:17 cyrus-sasl-2.1.22-7.el5_8.1.x86_64.rpm -rw------- 1 root root 127K Sep 3 13:15 cyrus-sasl-lib-2.1.22-7.el5_8.1.i386.rpm </CODE></PRE> <P>Is one event instead of two.</P> <P>props.conf looks like this:</P> <P><CODE>[sourcetype::RHEL_mon_log]<BR /> MUST_BREAK_AFTER = &lt;\Q.rpm\E&gt;<BR /> SHOULD_LINEMERGE=true<BR /> </CODE></P> <P>Any suggestions?</P> Fri, 01 Mar 2013 17:44:30 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48807#M22156 Daniel_Edwards 2013-03-01T17:44:30Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48808#M22157 <P>I don't really get it - you're directing these logs to a particular index, and you get different results if you do "index=theindex" than if you do "sourcetype=thesourcetype"?? That sounds very weird to me...</P> Fri, 01 Mar 2013 18:40:00 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48808#M22157 Ayn 2013-03-01T18:40:00Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48809#M22158 <P>I know, I had a co-worker of mine who's more knowledgeable than I take a look and he was confused as well.</P> Fri, 01 Mar 2013 18:48:37 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48809#M22158 Daniel_Edwards 2013-03-01T18:48:37Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48810#M22159 <P>I can see that, because there's no reason why it would act like that. Could you please post more details about your searches?</P> Fri, 01 Mar 2013 19:10:10 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48810#M22159 Ayn 2013-03-01T19:10:10Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48811#M22160 <P>The search I'm using is "index=rhel_update_mon". I'm relatively new to splunk so I'm trying to do the KISS thing and move on once I have a good understanding of the basics.</P> Mon, 28 Sep 2020 13:25:52 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48811#M22160 Daniel_Edwards 2020-09-28T13:25:52Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48812#M22161 <P>OK, and the other search, for source/sourcetype?</P> Fri, 01 Mar 2013 19:45:25 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48812#M22161 Ayn 2013-03-01T19:45:25Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48813#M22162 <P>I think you have have helped me solve the problem! I believe the sourcetype I had in my props.conf was incorrect. It needed to be [rhel_update_log] and not [RHEL_mon_log] Thank you very much.</P> Mon, 28 Sep 2020 13:25:55 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48813#M22162 Daniel_Edwards 2020-09-28T13:25:55Z https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48814#M22163 <P>Via Ayn:</P> <PRE><CODE> Confirm that the sourcetype in your props.conf matches what sourcetype is actually in splunk. </CODE></PRE> Fri, 01 Mar 2013 20:02:23 GMT https://community.splunk.com/t5/Deployment-Architecture/Index-Line-Breaks/m-p/48814#M22163 Daniel_Edwards 2013-03-01T20:02:23Z