https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685302#M114337 <P>HI SMEs,</P><P>&nbsp;</P><P>I am having problem where logs coming from one of the syslog server are getting clubbed into one single raw event &amp; not getting split. Sharing the below. Rather splitting it into 3 diff events it is coming under one single event. Kindly suggest any possible work around</P><P>&nbsp;</P><P>Apr 14 17:30:50 172.10.10.10 %ASA-2-106006: Deny inbound UDP from 10.20.30.40/51785 to 172.10.10.10/162 on interface AI-VO-PVT<BR />Apr 14 17:30:50 10.20.30.40 12812500: RP/0/RP0/CPU0:Apr 14 17:30:50.489 IST: ifmgr[301]: %PK-5-UPDOWN : Line protocol on Interface GigabitEthernet0/0/0/18, changed state to Down<BR />Apr 14 17:30:50 10.225.124.136 TMNX: 258900 Base LOGGER-MINOR-tmnxLogFileDeleted-2009 [acct-log-id 18 file-id 22]: Log file cf3:\acttt\actof1822-20240414-075.xml.gz on compact flash cf3 has been deleted<BR />Apr 14 17:30:50 10.20.30.40 12812502: RP/0/RP0/CPU0:Apr 14 17:30:50.493 IST: fia_driver[334]: %PLATFORM-2_FAULT : Interface GigabitEthernet0/0/0/18, Detected Local Fault</P> Wed, 24 Apr 2024 11:52:01 GMT pm2012 2024-04-24T11:52:01Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685302#M114337 <P>HI SMEs,</P><P>&nbsp;</P><P>I am having problem where logs coming from one of the syslog server are getting clubbed into one single raw event &amp; not getting split. Sharing the below. Rather splitting it into 3 diff events it is coming under one single event. Kindly suggest any possible work around</P><P>&nbsp;</P><P>Apr 14 17:30:50 172.10.10.10 %ASA-2-106006: Deny inbound UDP from 10.20.30.40/51785 to 172.10.10.10/162 on interface AI-VO-PVT<BR />Apr 14 17:30:50 10.20.30.40 12812500: RP/0/RP0/CPU0:Apr 14 17:30:50.489 IST: ifmgr[301]: %PK-5-UPDOWN : Line protocol on Interface GigabitEthernet0/0/0/18, changed state to Down<BR />Apr 14 17:30:50 10.225.124.136 TMNX: 258900 Base LOGGER-MINOR-tmnxLogFileDeleted-2009 [acct-log-id 18 file-id 22]: Log file cf3:\acttt\actof1822-20240414-075.xml.gz on compact flash cf3 has been deleted<BR />Apr 14 17:30:50 10.20.30.40 12812502: RP/0/RP0/CPU0:Apr 14 17:30:50.493 IST: fia_driver[334]: %PLATFORM-2_FAULT : Interface GigabitEthernet0/0/0/18, Detected Local Fault</P> Wed, 24 Apr 2024 11:52:01 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685302#M114337 pm2012 2024-04-24T11:52:01Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685312#M114338 <P>That looks like 4 different events rather than 3.&nbsp; Please confirm.</P><P>Please share the props.conf settings for that sourcetype.</P> Wed, 24 Apr 2024 12:19:44 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685312#M114338 richgalloway 2024-04-24T12:19:44Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685423#M114361 <P>Yeah that's correct basically these are 4 events. I am putting the config taken from GUI below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pm2012_0-1714034945550.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30558i4430D61D48D3BEC9/image-size/medium?v=v2&amp;px=400" role="button" title="pm2012_0-1714034945550.png" alt="pm2012_0-1714034945550.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pm2012_1-1714034994632.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30559i850B78B7F2267C2E/image-size/medium?v=v2&amp;px=400" role="button" title="pm2012_1-1714034994632.png" alt="pm2012_1-1714034994632.png" /></span></P><P>&nbsp;</P> Thu, 25 Apr 2024 08:50:04 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685423#M114361 pm2012 2024-04-25T08:50:04Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685430#M114362 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;please find the attached snaps as i am restricted to GUI&nbsp;</P> Thu, 25 Apr 2024 09:17:51 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685430#M114362 pm2012 2024-04-25T09:17:51Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685460#M114364 <P>The LINE_BREAKER setting requires a capture group.&nbsp; The group is where events will be split.&nbsp; Try this</P><LI-CODE lang="markup">LINE_BREAKER = ()\w{3}\s\d\d:\d\d</LI-CODE> Thu, 25 Apr 2024 12:16:10 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685460#M114364 richgalloway 2024-04-25T12:16:10Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685547#M114367 <P>I check this however it was not matching. don't you think it should be as below</P><P>()\w{3}\s\d+\s+\d+\:\d+\:\d+\s+</P><P>However post updating this as well it is not working. Does it work only for new events post changes or the historical one as well? and how often it gets updated (the config changes)</P> Fri, 26 Apr 2024 03:27:04 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685547#M114367 pm2012 2024-04-26T03:27:04Z https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685609#M114368 <P>Either regex should work.&nbsp; BTW, it's not necessary to escape the colons.</P><P>Any change to props.conf only affects new data.&nbsp; Config changes made in the UI take effect immediately; changes made to .conf files take effect after a restart.</P> Fri, 26 Apr 2024 11:51:20 GMT https://community.splunk.com/t5/Getting-Data-In/event-breaking-not-happening/m-p/685609#M114368 richgalloway 2024-04-26T11:51:20Z