https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670058#M112356 <P>Hi All,</P><P>I have a scripted input which gets Data from a URL and send it to Splunk.</P><P>But now I have issue with event Formatting, Actual website data I am ingesting is as shown below:</P><P>##### BEGIN STATUS #####</P><P>#LAST UPDATE&nbsp; :&nbsp; Tue,&nbsp; 28&nbsp; Nov&nbsp; 2023&nbsp; 11:00:16&nbsp; +0000</P><P>Abcstatus.status=ok</P><P>Abcstatus.lastupdate=17xxxxxxxx555</P><P>&nbsp;</P><P>&nbsp;</P><P>###&nbsp; ServiceStatus&nbsp; ###</P><P>xxxxx</P><P>xxxxxx</P><P>xxxx</P><P>###&nbsp; SystemStatus&nbsp; ###</P><P>XXXX'</P><P>XXXX</P><P>&nbsp;</P><P>###&nbsp; xyxStatus&nbsp; ###</P><P>XXX</P><P>XXX</P><P>XXX</P><P>.</P><P>.</P><P>.</P><P>.</P><P>So on....</P><P>&nbsp;</P><P>But in splunk below lines are coming as a seperate events instead of being part of one complete event:</P><P>##### FIRST STATUS #####&nbsp; - is coming as seperate event</P><P>Abcstatus.status=ok&nbsp; - this is also coming as a separate event</P><P>&nbsp;</P><P>Below all events coming as one event which is correct and the above two lines should also be part of this one event:</P><P>Abcstatus.lastupdate=17xxxxxxxx555</P><P>###&nbsp; ServiceStatus&nbsp; ###</P><P>xxxxx</P><P>xxxxxx</P><P>xxxx</P><P>###&nbsp; SystemStatus&nbsp; ###</P><P>.</P><P>.</P><P>.</P><P>So on....</P><P>#####&nbsp; &nbsp;END STATUS&nbsp; #####</P><P>&nbsp;</P><P>Below is my props:</P><PRE>DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE=TRUE BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5} MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5} TIME_PREFIX=^#\w+\s\w+\w+\s:\s MAX_TIMESTAMP_LOOKAHEAD=200</PRE><P>&nbsp;</P><P>Can you please help me with the issue?</P><P>&nbsp;</P> Tue, 28 Nov 2023 17:31:06 GMT blbr123 2023-11-28T17:31:06Z https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670058#M112356 <P>Hi All,</P><P>I have a scripted input which gets Data from a URL and send it to Splunk.</P><P>But now I have issue with event Formatting, Actual website data I am ingesting is as shown below:</P><P>##### BEGIN STATUS #####</P><P>#LAST UPDATE&nbsp; :&nbsp; Tue,&nbsp; 28&nbsp; Nov&nbsp; 2023&nbsp; 11:00:16&nbsp; +0000</P><P>Abcstatus.status=ok</P><P>Abcstatus.lastupdate=17xxxxxxxx555</P><P>&nbsp;</P><P>&nbsp;</P><P>###&nbsp; ServiceStatus&nbsp; ###</P><P>xxxxx</P><P>xxxxxx</P><P>xxxx</P><P>###&nbsp; SystemStatus&nbsp; ###</P><P>XXXX'</P><P>XXXX</P><P>&nbsp;</P><P>###&nbsp; xyxStatus&nbsp; ###</P><P>XXX</P><P>XXX</P><P>XXX</P><P>.</P><P>.</P><P>.</P><P>.</P><P>So on....</P><P>&nbsp;</P><P>But in splunk below lines are coming as a seperate events instead of being part of one complete event:</P><P>##### FIRST STATUS #####&nbsp; - is coming as seperate event</P><P>Abcstatus.status=ok&nbsp; - this is also coming as a separate event</P><P>&nbsp;</P><P>Below all events coming as one event which is correct and the above two lines should also be part of this one event:</P><P>Abcstatus.lastupdate=17xxxxxxxx555</P><P>###&nbsp; ServiceStatus&nbsp; ###</P><P>xxxxx</P><P>xxxxxx</P><P>xxxx</P><P>###&nbsp; SystemStatus&nbsp; ###</P><P>.</P><P>.</P><P>.</P><P>So on....</P><P>#####&nbsp; &nbsp;END STATUS&nbsp; #####</P><P>&nbsp;</P><P>Below is my props:</P><PRE>DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE=TRUE BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5} MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5} TIME_PREFIX=^#\w+\s\w+\w+\s:\s MAX_TIMESTAMP_LOOKAHEAD=200</PRE><P>&nbsp;</P><P>Can you please help me with the issue?</P><P>&nbsp;</P> Tue, 28 Nov 2023 17:31:06 GMT https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670058#M112356 blbr123 2023-11-28T17:31:06Z https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670069#M112359 <P>If <FONT face="courier new,courier">DATETIME_CONFIG</FONT> is set to <FONT face="courier new,courier">CURRENT</FONT> then there is no need for the <FONT face="courier new,courier">TIME_PREFIX</FONT> or <FONT face="courier new,courier">MAX_TIMESTAMP_LOOKAHEAD</FONT> settings.</P><P>The regexes do not match the sample data - the regex expects too many spaces.&nbsp; Also, there is no <FONT face="courier new,courier">BREAK_ONLY_AFTER</FONT> setting.&nbsp; Perhaps you mean <FONT face="courier new,courier">MUST_BREAK_AFTER</FONT>.&nbsp; Try these settings.</P><LI-CODE lang="markup">DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = TRUE MUST_BREAK_AFTER = [\r\n]+#{5}\s+END\sSTATUS\s+\#{5}</LI-CODE><P>&nbsp;</P> Tue, 28 Nov 2023 19:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670069#M112359 richgalloway 2023-11-28T19:45:54Z https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670135#M112367 <P>I tried the props settings you suggested but still same issue.</P><P>&nbsp;</P><P>######&nbsp; &nbsp;BEGIN STATUS&nbsp; &nbsp;##### is coming as a separate event.</P><P><SPAN class="">#LAST</SPAN> <SPAN class="">UPDATE</SPAN> <SPAN class="">:</SPAN> <SPAN class="">Wed</SPAN><SPAN>, </SPAN><SPAN class="">29</SPAN> <SPAN class="">Nov</SPAN> <SPAN class="">2023</SPAN> <SPAN class="">10:39:57</SPAN><SPAN> +</SPAN><SPAN class="">0000</SPAN> <SPAN class="">GlobalStatus.status=OK&nbsp; , this is also coming as a separate event&nbsp;</SPAN></P><P><SPAN class="">Both these events should come under one event.</SPAN></P><P>&nbsp;</P> Wed, 29 Nov 2023 10:48:26 GMT https://community.splunk.com/t5/Getting-Data-In/Events-Formatting/m-p/670135#M112367 blbr123 2023-11-29T10:48:26Z