topic Re: Event breaking in Getting Data In

Event breaking

Amith55555 — Mon, 03 Feb 2025 13:34:47 GMT

Hey, i have a problem with event breaking. My app outputs logs that starts with date and time in the format 15/05/2024 16:35:45

Some events have an object in them and can be accross multiple lines. But every event starts with date and time.

For some reason splunk sometimes combine two events. And sometimes cut off an event who has an object in it.

I tried multiple configs in the props.conf such as LINE_BREAKER , SHOULD_LINEMERGE, and more.

Im new to splunk and i would be grateful if u can help me

Re: Event breaking

gcusello — Mon, 03 Feb 2025 13:40:27 GMT

Hi @Amith55555 ,

could you share some sample (eventually anonymized) of your logs of both types?

please in text format (not screenshot!) using the "Insert/Edit code sample" button.

Ciao.

Giuseppe

Re: Event breaking

PickleRick — Mon, 03 Feb 2025 14:05:04 GMT

Can't do anything without knowing your actual data 🙂 (possibly anonymized if it contains sensitive information somewhere in the middle).

As long as you don't have valid data which looks like a timestamp in the middle of your multiline event, you will probably be good with something like (might need adjusting to your date format)

LINE_BREAKER=([\r\n]+)\d{2}/\d{2}/\d{4}

And don't touch SHOULD_LINEMERGE - it should be set to false and never ever changed to true (honestly, there are almost no valid use cases for it to be set to true).

Re: Event breaking

Amith55555 — Mon, 03 Feb 2025 14:20:32 GMT

03/02/2025 15:22:41 info: created keep-alive: { "identifier": "gdghsjjsjjl", "info": { "category": "other", }, }

Example 1

Thats in the log file

03/02/2025 15:22:41 info: created keep-alive: { "identifier": "gdghsjjsjjl",

Example 1

This is the event in splunk

 info: created keep-alive:
{
  "identifier": "gdghsjjsjjl",
  "info": {
    "category": "other",
  },
}
03/02/2025 15:22:41 this is a test log

Example 2

This is in the log file.

Both of this events will be collected as 1

Re: Event breaking

livehybrid — Mon, 03 Feb 2025 15:21:08 GMT

Hi @Amith55555
Does the following work for you?

SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}) TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S

This assumes your date format is DD/MM/YYYY not MM/DD/YYYY but feel free to tweak if required.
Let me know how you get on!

Re: Event breaking

Amith55555 — Mon, 03 Feb 2025 16:02:04 GMT

No, i get the same result. Thanks tho