https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57196#M11160 <P>I'm having a problem where multiple events are getting combined into a single event and I haven't been able to figure out how to fix it.</P> <P>For example, the following two events are being listed as one event by splunk:<BR /> msg,server,City,recruit,0.12032890319824,code=0&amp;desc=585,0,585,2013-06-06 15:45:58,10.80.74.124<BR /> msg,client,Hero,train,805012,[{"mod":"Hero","cash":0,"gold":1800,"cardnumber":0,"heroid":46,"type":3,"act":"train"}],2013-06-06 15:45:58,10.80.74.124</P> <P>I have a splunk forwarder sending data to my main splunk indexer. I'm using apps to specify the inputs/outputs for the forwarder.<BR /> The sourcetype for the data in question is kotr_logknight</P> <P>On the indexer I have created a props.conf that contains:<BR /> [kotr_logknight]<BR /> SHOULD_LINEMERGE = false</P> <P>My understanding is that this should disable line merging so that my events shouldn't get combined. However, it doesn't seem to affect the behavior at all.<BR /> (I also tried putting props.conf on the forwarder and in with the app, and neither of those seemed to make any difference either)</P> <P>How can I track down what is happening during indexing to understand why the configuration setting doesn't seem to be doing what I expect?</P> Mon, 28 Sep 2020 14:03:04 GMT Richard_ 2020-09-28T14:03:04Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57196#M11160 <P>I'm having a problem where multiple events are getting combined into a single event and I haven't been able to figure out how to fix it.</P> <P>For example, the following two events are being listed as one event by splunk:<BR /> msg,server,City,recruit,0.12032890319824,code=0&amp;desc=585,0,585,2013-06-06 15:45:58,10.80.74.124<BR /> msg,client,Hero,train,805012,[{"mod":"Hero","cash":0,"gold":1800,"cardnumber":0,"heroid":46,"type":3,"act":"train"}],2013-06-06 15:45:58,10.80.74.124</P> <P>I have a splunk forwarder sending data to my main splunk indexer. I'm using apps to specify the inputs/outputs for the forwarder.<BR /> The sourcetype for the data in question is kotr_logknight</P> <P>On the indexer I have created a props.conf that contains:<BR /> [kotr_logknight]<BR /> SHOULD_LINEMERGE = false</P> <P>My understanding is that this should disable line merging so that my events shouldn't get combined. However, it doesn't seem to affect the behavior at all.<BR /> (I also tried putting props.conf on the forwarder and in with the app, and neither of those seemed to make any difference either)</P> <P>How can I track down what is happening during indexing to understand why the configuration setting doesn't seem to be doing what I expect?</P> Mon, 28 Sep 2020 14:03:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57196#M11160 Richard_ 2020-09-28T14:03:04Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57197#M11161 <P>Use a sample of data and import it into the data preview.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Overviewofdatapreview">http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Overviewofdatapreview</A></P> <P>Also the props,conf with the sourcetype definition has to be on the instance parsing the events (indexers, or heavy forwarders if any)</P> Thu, 06 Jun 2013 16:08:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57197#M11161 yannK 2013-06-06T16:08:53Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57198#M11162 <P>That was super helpful. I've never added data that way so that I didn't know of the existance of the data previewer.</P> <P>My problem ended up being a stupid mistake. I was changing prop.conf on the wrong machine. I thought I was on the indexer, but I wasn't.</P> <P>Thanks!</P> Thu, 06 Jun 2013 17:38:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57198#M11162 Richard_ 2013-06-06T17:38:34Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57199#M11163 <P>The GUI for this gives you a partially interactive way to test things. Being able to immediately see results as you change things was very useful.</P> Sat, 01 Aug 2015 13:20:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57199#M11163 Richfez 2015-08-01T13:20:58Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57200#M11164 <P>You're correct about making changes in the props.conf on the indexer. But you will need to write a regular expression to successfully break those lines so Splunk will see them as a new event</P> <P><CODE>^msg\,\w+</CODE></P> Sat, 01 Aug 2015 13:27:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-troubleshoot-linebreak-linemerge-issues/m-p/57200#M11164 skoelpin 2015-08-01T13:27:23Z