topic Re: Event_breaker vs Line_breaker ? in Getting Data In

Event_breaker vs Line_breaker ?

daniel333 — Wed, 30 Sep 2020 00:53:04 GMT

All,

Is there any reason my event_breaker stanza for my UF should be different from LINE_breaker line on my indexers ? Seems to be they'd be identical.

Example of my log4j props.conf stanza -

  LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[
  EVENT_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[

thanks
-Daniel

Re: Event_breaker vs Line_breaker ?

harsmarvania57 — Wed, 12 Jun 2019 08:27:25 GMT

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

Re: Event_breaker vs Line_breaker ?

FrankVl — Wed, 12 Jun 2019 09:00:09 GMT

They should be identical, why are you asking, is it not working as expected?

Re: Event_breaker vs Line_breaker ?

daniel333 — Wed, 12 Jun 2019 14:44:35 GMT

Thanks for the extra details there. Awesome!

Re: Event_breaker vs Line_breaker ?

jatin_patel — Fri, 17 Jul 2020 20:28:19 GMT

if you are using EVENT_BREAKER on UF why do you even need LINE_BREAKER on indexers would not defeat the purpose of putting EVENT_BREAKER on UF as indexer would again run same regex on data that is already regexed by UF?

Re: Event_breaker vs Line_breaker ?

dwallen41 — Thu, 10 Feb 2022 21:27:27 GMT

EVENT_BREAKER is so the forwarder knows where to stop sending data for load balancing purposes. The data is unchanged when it gets to the indexers so the indexers still need the LINE_BREAKER to break the raw data into the actual events.