https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679590#M113553 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>,</P><P>did you tried SHOULD_LINEMERGE = false?</P><P>Ciao.</P><P>Giuseppe</P> Tue, 05 Mar 2024 13:31:01 GMT gcusello 2024-03-05T13:31:01Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679578#M113550 <P>This below mentioned lines are coming as a single event and not as separate events. So we want to get them splitted i.e.. It starts with IP and the end would be with Email field so after which it needs to be a separate next&nbsp; event.</P><LI-CODE lang="markup">IP:aa.bbb.ccc.ddd##Browser:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0##LoginSuccess Wire At:04-03-24 15:10:32##CookieFilePath:/xxx/yyy/abc.com/xyz/abc/forms/submitform/live/12345/98765_3598/clear.txt##ABC:12344564##Sessionid:xyz-a1-ddd_1##Form:xyz##Type:Live##LoginSuccess:Yes##SessionUserId:123##Email:xyz@google.com IP:aa.bbb.ccc.ddd##Browser:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0##LoginSuccess Wire At:04-03-24 17:12:32##CookieFilePath:/xxx/yyy/abc.com/xyz/abc/forms/submitform/live/12345/1234_9564/clear.txt##ABC:12344564##Sessionid:xyz-a1-ddd_1##Form:xyz##Type:Live##LoginSuccess:Yes##SessionUserId:123##Email:xyz@google.com IP:aa.bbb.ccc.ddd##Browser:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0##LoginSuccess Wire At:04-03-24 18:10:32##CookieFilePath:/xxx/yyy/abc.com/xyz/abc/forms/submitform/live/12345/9821_365/clear.txt##ABC:12344564##Sessionid:xyz-a1-ddd_1##Form:xyz##Type:Live##LoginSuccess:Yes##SessionUserId:123##Email:xyz@google.com IP:aa.bbb.ccc.ddd##Browser:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0##LoginSuccess Wire At:04-03-24 20:10:32##CookieFilePath:/xxx/yyy/abc.com/xyz/abc/forms/submitform/live/12345/222_123/clear.txt##ABC:12344564##Sessionid:xyz-a1-ddd_1##Form:xyz##Type:Live##LoginSuccess:Yes##SessionUserId:123##Email:xyz@google.com</LI-CODE><P><BR />SO kindly let me know how can be get them splitted into separate events.</P> Fri, 22 Mar 2024 08:53:09 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679578#M113550 anandhalagaras1 2024-03-22T08:53:09Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679590#M113553 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>,</P><P>did you tried SHOULD_LINEMERGE = false?</P><P>Ciao.</P><P>Giuseppe</P> Tue, 05 Mar 2024 13:31:01 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679590#M113553 gcusello 2024-03-05T13:31:01Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679597#M113557 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;Yes i have updated the props.conf in the UF of the server. Since I don't have access to the Indexers it didnt worked. Since our Search head are hosted in Cloud and managed by Splunk Support.</P><P>So what should i need to do if i need to apply to Indexers directly.</P> Tue, 05 Mar 2024 15:01:37 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679597#M113557 anandhalagaras1 2024-03-05T15:01:37Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679603#M113558 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>,</P><P>you have to associate SHOULD_LINEMERGE = false to the sourcetype of your data in the UFs and in the Splunk Cloud Search Heads.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 05 Mar 2024 15:14:43 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679603#M113558 gcusello 2024-03-05T15:14:43Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679827#M113601 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>&nbsp;You can apply in the HF's if you have.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1709739269664.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29630i1B8A7BC0C08C9B80/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1709739269664.png" alt="kiran_panchavat_0-1709739269664.png" /></span></P><P>&nbsp;</P> Wed, 06 Mar 2024 15:35:25 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/679827#M113601 kiran_panchavat 2024-03-06T15:35:25Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/681648#M113894 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>As previously stated, I implemented the setting SHOULD_LINEMERGE = false in Splunk Cloud SH, which successfully resolved the issue. However, the logs contain HTML events, which are now being treated as individual events, resulting in difficulties extracting the desired fields. Could you please advise on how we can address this?</P> Fri, 22 Mar 2024 08:16:31 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/681648#M113894 anandhalagaras1 2024-03-22T08:16:31Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/681649#M113895 <P>Here are the setting for props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">SHOULD_LINEMERGE=false #Should always be false LINE_BREAKER=([\r\n]+)IP #Adds IP to the line breaking (If all lines starts with IP) NO_BINARY_CHECK=true TIME_FORMAT=%e-%m-%y %T #Sets the time format TIME_PREFIX=At: #Use time found after the At: MAX_TIMESTAMP_LOOKAHEAD=20 #Do not search more tha needed for the time</LI-CODE><P>&nbsp;</P> Fri, 22 Mar 2024 09:06:14 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/681649#M113895 jotne 2024-03-22T09:06:14Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/681656#M113899 <P>Hi</P><P>here is the new MASA diagram where you could look where to put those and in which server&nbsp;<A href="https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf?origin_team=T047WPASC&amp;origin_channel=Psearch" target="_blank">https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf?origin_team=T047WPASC&amp;origin_channel=Psearch</A></P><P>r. Ismo</P> Fri, 22 Mar 2024 09:22:41 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Split-the-events-before-parsing-into-Splunk/m-p/681656#M113899 isoutamo 2024-03-22T09:22:41Z