https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698382#M115785 <P>Please share your raw events and the configurations you have tried</P> Fri, 06 Sep 2024 08:35:49 GMT ITWhisperer 2024-09-06T08:35:49Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698380#M115784 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="arunkuriakose_0-1725610979258.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32565i29E99225FF2E85F7/image-size/medium?v=v2&amp;px=400" role="button" title="arunkuriakose_0-1725610979258.png" alt="arunkuriakose_0-1725610979258.png" /></span></P><P>&nbsp;</P><P>I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.</P><P>&nbsp;</P><P>I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing</P><P>&nbsp;</P> Fri, 06 Sep 2024 08:24:39 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698380#M115784 arunkuriakose 2024-09-06T08:24:39Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698382#M115785 <P>Please share your raw events and the configurations you have tried</P> Fri, 06 Sep 2024 08:35:49 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698382#M115785 ITWhisperer 2024-09-06T08:35:49Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698432#M115787 <P>There are several different issues touched here.</P><P>As you have already indexed data, you cannot break the events again and re-index them. You can, however manipulate your data during searching. But you will have to "break" the data into separate results on each search explicitly using search commands.</P><P>If you want newly ingested data properly broken and indexed as separate events you need to configure your ingestion settings properly. But that will only work on newly ingested data. Old data will stay as it was.</P> Fri, 06 Sep 2024 21:32:39 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698432#M115787 PickleRick 2024-09-06T21:32:39Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698434#M115788 <P>Hi</P><P>&nbsp;</P><P>thanks for the response. If i can reindex the data how to apply line breaking settings effficiently to achieve this</P> Fri, 06 Sep 2024 22:06:19 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698434#M115788 arunkuriakose 2024-09-06T22:06:19Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698441#M115789 <P>As <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a> said - show us your raw events and what have you tried so far because maybe your idea was OK but applied in a wrong place.</P> Sat, 07 Sep 2024 08:16:34 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698441#M115789 PickleRick 2024-09-07T08:16:34Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698537#M115800 <P>Hi</P> <P>&nbsp;</P> <P>thanks for the response .</P> <P>sample logs: (these are coming as a single event as mentioned in screenshot)</P> <P><SPAN class="">zowin.exposed.</SPAN> <SPAN class="">3600</SPAN> <SPAN class="">in</SPAN> <SPAN class="">ns</SPAN> <SPAN class="">ns1.dyna-ns.net.</SPAN></P> <P><SPAN class="">zowin.exposed.</SPAN> <SPAN class="">3600</SPAN> <SPAN class="">in</SPAN> <SPAN class="">ns</SPAN> <SPAN class="">ns2.dyna-ns.net.</SPAN></P> <P><SPAN class="">zuckerberg.exposed.</SPAN> <SPAN class="">3600</SPAN> <SPAN class="">in</SPAN> <SPAN class="">ns</SPAN> <SPAN class="">ns1.afternic.com.</SPAN></P> <P><SPAN class="">zuckerberg.exposed.</SPAN> <SPAN class="">3600</SPAN> <SPAN class="">in</SPAN> <SPAN class="">ns</SPAN> <SPAN class="">ns2.afternic.com.</SPAN></P> <P><SPAN class="">zwiebeltvde.exposed.</SPAN> <SPAN class="">3600</SPAN> <SPAN class="">in</SPAN> <SPAN class="">ns</SPAN> <SPAN class="">docks13.rzone.de.</SPAN></P> <P><SPAN class="">zwiebeltvde.exposed.</SPAN> <SPAN class="">3600</SPAN> <SPAN class="">in</SPAN> <SPAN class="">ns</SPAN> <SPAN class="">shades01.rzone.de</SPAN></P> <P>I am applying this on UF config . (/etc/system/local/propes.conf</P> <P>[zone_files]</P> <LI-CODE lang="markup">LINE_BREAKER= ([\r\n]+) SHOULD_LINEMERGE = false</LI-CODE> <P><BR />~</P> Mon, 09 Sep 2024 14:10:33 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698537#M115800 arunkuriakose 2024-09-09T14:10:33Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698540#M115802 <P>OK. Let's back up a little.</P><P>1. How are the events ingested? Read from files with a monitor input or any other way? (like HEC input or a modular input). You mention UF so I suspect monitor input(s) but I want to be sure.</P><P>2. I assume you meant props.conf, not propes.conf - that was just a typo here, right?</P><P>3. Line breaking is _not_ happening on the UF. You need to have your LINE_BREAKER defined on the first heavy component that the event passes through (if you're sending from UF directly to indexers, you need this setting on the indexers).</P> Mon, 09 Sep 2024 11:15:55 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698540#M115802 PickleRick 2024-09-09T11:15:55Z https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698598#M115805 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp; Your comments helped. I&nbsp; was applying this on the UF level and changing to indexers made it work. Thanks</P> Tue, 10 Sep 2024 05:40:13 GMT https://community.splunk.com/t5/Getting-Data-In/line-break-to-different-entries/m-p/698598#M115805 arunkuriakose 2024-09-10T05:40:13Z