<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Events are not breaking/extracted properly in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597293#M104271</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909"&gt;@SplunkDash&lt;/a&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;1. For the text files you look to have a typo with Splunk docs showing it should be&lt;/P&gt;&lt;PRE&gt;HEADER_FIELD_LINE_NUMBER = &amp;lt;integer&amp;gt;&lt;/PRE&gt;&lt;P&gt;Also, the docs show the&amp;nbsp;&lt;SPAN&gt;INDEXED_EXTRACTIONS as&amp;nbsp;&lt;/SPAN&gt;capitalized, e.g.&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;INDEXED_EXTRACTIONS = PSV&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;Not 100% sure capitalization would make a difference but&amp;nbsp;worth a go.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;As INDEX_EXTRACTIONS is used, the props.conf can live on either the UF or HF.&lt;BR /&gt;&lt;BR /&gt;2. Assuming&amp;nbsp;you do not want the &amp;lt;?xml version=...&amp;gt; part then the event break config would be.&lt;SPAN&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;LINE_BREAKER = ([\r\n&amp;gt;]*.+)&amp;lt;DSDATA&amp;gt;&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;&lt;SPAN&gt;Note, I kept the &amp;lt;DSDATA&amp;gt; tag to keep the XML valid with the closing &amp;lt;\DSDATA&amp;gt; tag.&lt;BR /&gt;&lt;BR /&gt;If you did want to get rid of the DSDATA fields too then this should work...&lt;/SPAN&gt;&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;LINE_BREAKER = ((?:&amp;lt;/DSDATA&amp;gt;)?[\r\n&amp;gt;]*.+&amp;lt;DSDATA&amp;gt;|&amp;lt;/DSDATA&amp;gt;)&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;&lt;SPAN&gt;Note the OR statement (|&amp;lt;/DSDATA&amp;gt;) is to try and strip the last entry in an event that may not have a newline or carriage return.&amp;nbsp; It will result an empty event.&lt;BR /&gt;&lt;BR /&gt;If it was me, I think I'd keep the DSDATA field in the LINE_BREAKER and then use SEDCMD to strip &amp;lt;.?DSDATA&amp;gt;&amp;nbsp;from the events.&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&lt;BR /&gt;For the XML extraction the props.conf file must live on the HF, or indexer, depending on your setup.&lt;BR /&gt;&lt;BR /&gt;Restarts may be needed once configs are updated, depending on how you deploy this.&lt;BR /&gt;&lt;BR /&gt;Hope it helps&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Wed, 11 May 2022 05:56:56 GMT</pubDate>
    <dc:creator>yeahnah</dc:creator>
    <dc:date>2022-05-11T05:56:56Z</dc:date>
    <item>
      <title>Why events are not breaking/extracted properly?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597274#M104270</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;
&lt;P&gt;I completed a few UF based data ingestions and SPLUNK is getting events from those ingestions but have some issues with breaking event.&lt;/P&gt;
&lt;P&gt;I have 2 types of files: 1)&amp;nbsp; &amp;nbsp;text files with header and Pile Delimiters, 2) XML files&lt;/P&gt;
&lt;P&gt;In the case of text files, header info is showing up within the SPLUNK events, and also events are not breaking as expected at all, most of the cases, one SPLUNK event contains more than one source events&lt;/P&gt;
&lt;P&gt;In the case of XML files,&amp;nbsp;info within one source file considers as one SPLUNK event, but it should be considered number of events based on the XML tag.&lt;/P&gt;
&lt;P&gt;Any thoughts/recommendations to resolve these issues would be highly appreciated. Thank you!&lt;/P&gt;
&lt;P&gt;props/input configuration files and source files are given below:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;For Text Files:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;props&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;[ds:audit]&lt;/P&gt;
&lt;P&gt;SHOULD_LINEMERGE=false&lt;BR /&gt;LINE_BREAKER=([\r\n]+)&lt;BR /&gt;HEADERFIELD_LINE_NUMBER=1&lt;BR /&gt;INDEXED_EXTRACTIONS=psv&lt;BR /&gt;TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%Q%z&lt;BR /&gt;TIMESTAMP_FIELDS=TimeStamp&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;inputs&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;[monitor:///opt/audit/DS/DS_EVENTS*.txt]&lt;BR /&gt;sourcetype=ds:audit&lt;BR /&gt;index=ds_test&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;sample&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;serID|UserType|System|EventType|EventId|Subject|SessionID|SrcAddr|EventStatus|ErrorMsg|TimeStamp|Additional Application Data |Device&lt;BR /&gt;p22bb4r|TEST|DS|USER| VIEW_NODE |ELEMENT&amp;lt;843006481&amp;gt;|131e9d5b-e84e-567d-a6b1-775f58993f68|null|00||2022-06-14T09:01:55.001+0000||NA&lt;BR /&gt;p22bbs1|TEST|DS|USER| FULL_SEARCH |ELEMENT&amp;lt;843006481&amp;gt;|121e7d5b-f84e-467d-a6b1-775f58993f68|null|00||2021-06-14T09:01:50.001+0000||NA&lt;BR /&gt;p22bbw3|TEST|DS|USER| FULL_SEARCH | ELEMENT&amp;lt; 343982854&amp;gt;|5b8fb22e-eeed-4802-8b07-8559dbfe1e45|null|00||2021-06-14T08:54:08.054+0000||NA&lt;BR /&gt;ts70sbr4|TEST|DS|USER|VIEW_NODE| ELEMENT&amp;lt; 35382854&amp;gt;|5b8fb22e-eeed-4802-8b07-8559dbfe1e45|null|00||2021-06-14T08:54:16.054+0000||NA&lt;BR /&gt;ts70sbd3|TEST|DS|USER|FULL_SEARCH|ELEMENT&amp;lt;933982854&amp;gt;|5b8fb22e-eeed-4802-8b07-8559dbfe1e45|null|00||2021-06-14T08:53:54.053+0000||NA&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;For XML Files:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;[secops:audit]&lt;/P&gt;
&lt;P&gt;SHOULD_LINEMERGE=false&lt;BR /&gt;LINE_BREAKER=([\r\n]*)&amp;lt;MODTRANSL&amp;gt;&lt;BR /&gt;TIME_PREFIX=&amp;lt;TIMESTAMP&amp;gt;&lt;BR /&gt;TIME_FORMAT=%Y%m%d%H%M%S&lt;BR /&gt;MAX_TIMESTAMP_LOOKAHEAD=14&lt;BR /&gt;TRUNCATE=2500&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Input&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;[monitor:///opt/app/secops/logs/audit_secops_log*.XML]&lt;BR /&gt;sourcetype=secops:audit&lt;BR /&gt;index=secops_test&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sample Data&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;lt;?xml version="x.1" encoding="UTF-8"?&amp;gt;&amp;lt;DSDATA&amp;gt;&amp;lt;MODTRANSL&amp;gt;&amp;lt;TIMESTAMP&amp;gt;20190621121321&amp;lt;/TIMESTAMP&amp;gt;&amp;lt;USERID&amp;gt;d23bsrb&amp;lt;/USERID&amp;gt;&amp;lt;USERTYPE&amp;gt;SECOPS&amp;lt;/USERTYPE&amp;gt;&amp;lt;SYSTEM&amp;gt;DS&amp;lt;/SYSTEM&amp;gt;&amp;lt;EVENTTYPE&amp;gt;ADMIN&amp;lt;/EVENTTYPE&amp;gt;&amp;lt;EVENTID&amp;gt;SYS&amp;lt;/EVENTID&amp;gt;&amp;lt;ID&amp;gt;0300001&amp;lt;/ID&amp;gt;&amp;lt;SRCADDR&amp;gt;10.210.135.108&amp;lt;/SRCADDR&amp;gt;&amp;lt;RETURNCODE&amp;gt;00&amp;lt;/RETURNCODE&amp;gt;&amp;lt;VARDATA&amp;gt; Initiated New Entity Status: AP&amp;lt;/VARDATA&amp;gt;&amp;lt;/MODTRANSL&amp;gt;&amp;lt;MODTRANSL&amp;gt;&amp;lt;TIMESTAMP&amp;gt;20190621121416&amp;lt;/TIMESTAMP&amp;gt;&amp;lt;USERID&amp;gt; d23bsrb &amp;lt;/USERID&amp;gt;&amp;lt;USERTYPE&amp;gt;SECOPS&amp;lt;/USERTYPE&amp;gt;&amp;lt;SYSTEM&amp;gt;DSI&amp;lt;/SYSTEM&amp;gt;&amp;lt;EVENTTYPE&amp;gt;ADMIN&amp;lt;/EVENTTYPE&amp;gt;&amp;lt;EVENTID&amp;gt;SYS&amp;lt;/EVENTID&amp;gt;&amp;lt;ID&amp;gt;000000000&amp;lt;/ID&amp;gt;&amp;lt;SRCADDR&amp;gt;10.210.135.120&amp;lt;/SRCADDR&amp;gt;&amp;lt;RETURNCODE&amp;gt;00&amp;lt;/RETURNCODE&amp;gt;&amp;lt;VARDATA&amp;gt; Entity Status: Approved New Entity Status: TI&amp;lt;/VARDATA&amp;gt;&amp;lt;/MODTRANSL&amp;gt;&amp;lt;MODTRANSL&amp;gt;&amp;lt;TIMESTAMP&amp;gt;20190621121809&amp;lt;/TIMESTAMP&amp;gt;&amp;lt;USERID&amp;gt;sj45yrs&amp;lt;/USERID&amp;gt;&amp;lt;USERTYPE&amp;gt;SECOPS&amp;lt;/USERTYPE&amp;gt;&amp;lt;SYSTEM&amp;gt;DSI&amp;lt;/SYSTEM&amp;gt;&amp;lt;EVENTTYPE&amp;gt;ADMIN&amp;lt;/EVENTTYPE&amp;gt;&amp;lt;EVENTID&amp;gt;DS_OPD&amp;lt;/EVENTID&amp;gt;&amp;lt;ID&amp;gt;2192345&amp;lt;/ID&amp;gt;&amp;lt;SRCADDR&amp;gt;10.212.25.19&amp;lt;/SRCADDR&amp;gt;&amp;lt;RETURNCODE&amp;gt;00&amp;lt;/RETURNCODE&amp;gt;&amp;lt;VARDATA&amp;gt; 43ded7433b314eb58d2307e9bc536bd3&amp;lt;/VARDATA &amp;gt; &amp;lt;DURATION&amp;gt;124&amp;lt;/DURATION&amp;gt; &amp;lt;/MODTRANSL&amp;lt;/DSDATA&amp;gt;&lt;/P&gt;</description>
      <pubDate>Wed, 11 May 2022 22:31:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597274#M104270</guid>
      <dc:creator>SplunkDash</dc:creator>
      <dc:date>2022-05-11T22:31:42Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597293#M104271</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909"&gt;@SplunkDash&lt;/a&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;1. For the text files you look to have a typo with Splunk docs showing it should be&lt;/P&gt;&lt;PRE&gt;HEADER_FIELD_LINE_NUMBER = &amp;lt;integer&amp;gt;&lt;/PRE&gt;&lt;P&gt;Also, the docs show the&amp;nbsp;&lt;SPAN&gt;INDEXED_EXTRACTIONS as&amp;nbsp;&lt;/SPAN&gt;capitalized, e.g.&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;INDEXED_EXTRACTIONS = PSV&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;Not 100% sure capitalization would make a difference but&amp;nbsp;worth a go.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;As INDEX_EXTRACTIONS is used, the props.conf can live on either the UF or HF.&lt;BR /&gt;&lt;BR /&gt;2. Assuming&amp;nbsp;you do not want the &amp;lt;?xml version=...&amp;gt; part then the event break config would be.&lt;SPAN&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;LINE_BREAKER = ([\r\n&amp;gt;]*.+)&amp;lt;DSDATA&amp;gt;&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;&lt;SPAN&gt;Note, I kept the &amp;lt;DSDATA&amp;gt; tag to keep the XML valid with the closing &amp;lt;\DSDATA&amp;gt; tag.&lt;BR /&gt;&lt;BR /&gt;If you did want to get rid of the DSDATA fields too then this should work...&lt;/SPAN&gt;&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;LINE_BREAKER = ((?:&amp;lt;/DSDATA&amp;gt;)?[\r\n&amp;gt;]*.+&amp;lt;DSDATA&amp;gt;|&amp;lt;/DSDATA&amp;gt;)&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;&lt;SPAN&gt;Note the OR statement (|&amp;lt;/DSDATA&amp;gt;) is to try and strip the last entry in an event that may not have a newline or carriage return.&amp;nbsp; It will result an empty event.&lt;BR /&gt;&lt;BR /&gt;If it was me, I think I'd keep the DSDATA field in the LINE_BREAKER and then use SEDCMD to strip &amp;lt;.?DSDATA&amp;gt;&amp;nbsp;from the events.&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&lt;BR /&gt;For the XML extraction the props.conf file must live on the HF, or indexer, depending on your setup.&lt;BR /&gt;&lt;BR /&gt;Restarts may be needed once configs are updated, depending on how you deploy this.&lt;BR /&gt;&lt;BR /&gt;Hope it helps&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 11 May 2022 05:56:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597293#M104271</guid>
      <dc:creator>yeahnah</dc:creator>
      <dc:date>2022-05-11T05:56:56Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597297#M104272</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;Thank you for your quick response. In regard to XML file&amp;nbsp;&amp;lt;MODTRANSL&amp;gt; should be the event breaking point, sample XML file I provided should have 3 events. Do you think,&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;LINE_BREAKER = ([\r\n&amp;gt;]*.+)&amp;lt;DSDATA&amp;gt;&lt;/SPAN&gt;&lt;/PRE&gt;&lt;P&gt;going to work for that. Thank you again.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 11 May 2022 06:32:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597297#M104272</guid>
      <dc:creator>SplunkDash</dc:creator>
      <dc:date>2022-05-11T06:32:07Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597314#M104273</link>
      <description>&lt;P&gt;Your PSV definition looks mostly OK. But if it doesn't work, there must surely be something wrong with it &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;&lt;P&gt;But about your XML source settings - if you put those into props.conf on UF, they won't work. You need them on indexers/HFs (whatever is the first "heavy" layer you're hitting). And with this LINE_BREAKER you won't get proper XML. You'd need to break the events using a non-capturing group so that the XML tag you're breaking at is not consumed.&lt;/P&gt;</description>
      <pubDate>Wed, 11 May 2022 07:32:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597314#M104273</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2022-05-11T07:32:53Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597376#M104295</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;Thank you so much for your response, truly appreciate it. Just wondering are there any alternate solution to resolve these issues. Any additional/alternate recommendation would be highly appreciated. Thank you again.&lt;/P&gt;</description>
      <pubDate>Wed, 11 May 2022 12:11:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597376#M104295</guid>
      <dc:creator>SplunkDash</dc:creator>
      <dc:date>2022-05-11T12:11:17Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597488#M104313</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909"&gt;@SplunkDash&lt;/a&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;OK that is clearer and it can be done.&amp;nbsp;&amp;nbsp;Give this a try in the heavy forwarders props.conf file.&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;LINE_BREAKER = &lt;/SPAN&gt;([\r\n]*&amp;lt;\?xml.+&amp;lt;DSDATA&amp;gt;|&amp;lt;/MODTRANSL&amp;gt;|&amp;lt;/DSDATA&amp;gt;|[\n\r])&lt;BR /&gt;# to make XML valid again, re-append the &amp;lt;/MODTRANSL&amp;gt; tag stripped in line breaking capture group&lt;BR /&gt;SEDCMD-re-append-trailing-tag =s/$/&amp;lt;\/MODTRANSL&amp;gt;/&lt;/PRE&gt;&lt;P&gt;A good way to play with this is with a test file uploaded via the Settings &amp;gt; Add Data wizard.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 11 May 2022 22:29:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597488#M104313</guid>
      <dc:creator>yeahnah</dc:creator>
      <dc:date>2022-05-11T22:29:23Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597500#M104315</link>
      <description>&lt;P&gt;Hello&amp;nbsp;@&lt;SPAN&gt;yeahnah,&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Thank you so much, truly appreciated....it's working for me.&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Is there any recommendation for the issues with text files? Anything will help. Thank you so much again.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 12 May 2022 03:30:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597500#M104315</guid>
      <dc:creator>SplunkDash</dc:creator>
      <dc:date>2022-05-12T03:30:52Z</dc:date>
    </item>
    <item>
      <title>Re: Events are not breaking/extracted properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597521#M104316</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909"&gt;@SplunkDash&lt;/a&gt;&lt;BR /&gt;&lt;BR /&gt;I've tried the following on a Splunk v8.0.5 instance and it worked OK for me.&lt;/P&gt;&lt;PRE&gt;[ __auto__learned__ ]&lt;BR /&gt;NO_BINARY_CHECK=true&lt;BR /&gt;SHOULD_LINEMERGE=false&lt;BR /&gt;LINE_BREAKER=([\r\n]+)&lt;BR /&gt;INDEXED_EXTRACTION=PSV&lt;BR /&gt;HEADER_FIELD_LINE_NUMBER=1&lt;BR /&gt;HEADER_FIELD_DELIMITER=|&lt;BR /&gt;FIELD_DELIMITER=|&lt;BR /&gt;TIMESTAMP_FIELDS=TimeStamp&lt;BR /&gt;TIME_FORMAT=%FT%T.%3Q%z&lt;/PRE&gt;&lt;P&gt;And yes, it is strange that I need to specify FIELD_DELIMITER=|, as you would think that specifying PSV implies this anyway.&amp;nbsp; Might be a bug.&amp;nbsp;&lt;BR /&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yeahnah_1-1652337462790.png" style="width: 400px;"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/19602i7337D8B0B3F75701/image-size/medium?v=v2&amp;amp;px=400" role="button" title="yeahnah_1-1652337462790.png" alt="yeahnah_1-1652337462790.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;Note, as mentioned before, this config should work on a either UF or HF, though generally INDEXED_EXTRACTIONS are defined on the UF, which means the structured&amp;nbsp; data is parsed at source by the UF.&amp;nbsp; &amp;nbsp;No further modifications can be made to this forwarded data, by a Splunk HF/IDX at least, once it parsed like this.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If this solves your problem then please mark this as answered.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 29 May 2022 21:26:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-events-are-not-breaking-extracted-properly/m-p/597521#M104316</guid>
      <dc:creator>yeahnah</dc:creator>
      <dc:date>2022-05-29T21:26:36Z</dc:date>
    </item>
  </channel>
</rss>

