https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64317#M12942 <P>Hi a212830,</P> <P>If you create you own source type and you use the BREAK_ONLY_BEFORE option to create a regex that will look for the two linebreaking formats:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf" target="_blank">http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf</A></P> <P>Without knowing much more information on what you are currently working on, you could set it to something like:<BR /> BREAK_ONLY_BEFORE = (^*|^date)</P> <P>Hope this helps, if you would like to provide some examples, I would be happy to help set up the props.conf file with you.</P> <P>Regards,</P> <P>Vince</P> Mon, 28 Sep 2020 13:31:57 GMT vincesesto 2020-09-28T13:31:57Z https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64316#M12941 <P>Hi,</P> <P>How would I parse a file that has two linebreaking formats? The first is when the line begins and ends with asterisks (*), and the other is when they start with a date. The asterisk appears to be multi-line, and the date appears to be single-line. </P> Sun, 17 Mar 2013 22:43:32 GMT https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64316#M12941 a212830 2013-03-17T22:43:32Z https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64317#M12942 <P>Hi a212830,</P> <P>If you create you own source type and you use the BREAK_ONLY_BEFORE option to create a regex that will look for the two linebreaking formats:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf" target="_blank">http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf</A></P> <P>Without knowing much more information on what you are currently working on, you could set it to something like:<BR /> BREAK_ONLY_BEFORE = (^*|^date)</P> <P>Hope this helps, if you would like to provide some examples, I would be happy to help set up the props.conf file with you.</P> <P>Regards,</P> <P>Vince</P> Mon, 28 Sep 2020 13:31:57 GMT https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64317#M12942 vincesesto 2020-09-28T13:31:57Z https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64318#M12943 <P>Thanks.</P> <P>I have lines like this:</P> <P>*********** blah blah blah start of this event with no date/time stamp ***<BR /> stuff<BR /> stuff<BR /> ********* blah blah blah end of this event</P> <P>and lines like this</P> <P>[10/29/12 6:40:34:438 EDT] 000001ae SystemErr R [Fatal Error] :-1:-1: Premature end of file.</P> Sun, 17 Mar 2013 23:56:12 GMT https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64318#M12943 a212830 2013-03-17T23:56:12Z https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64319#M12944 <P>Hi a212830,</P> <P>Try something like the following for your props.conf:</P> <PRE><CODE>BREAK_ONLY_BEFORE=^\*\*\s+\w+|^\[ NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true </CODE></PRE> <P>The BREAK_ONLY_BEFORE is in two parts to have two separate event:<BR /> 1. <CODE>^\*\*\s+\w+</CODE> - this is looking for a newline starting with 2 asterisk a space then a word <BR /> 2. <CODE>|^\[</CODE> - OR a square bracket at the start of a line.</P> <P>Of course you can make this as complicated as you like depending on your events, but from what you have shown me the regex of <CODE>^\*\*\s+\w+|^\[</CODE> should work as an event break for your data.</P> <P>Regards,</P> <P>Vince</P> Mon, 28 Sep 2020 13:32:02 GMT https://community.splunk.com/t5/Getting-Data-In/parsing-events/m-p/64319#M12944 vincesesto 2020-09-28T13:32:02Z