<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk not breaking events on line break properly in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73279#M15019</link>
    <description>&lt;P&gt;What is your data format? Also, include "SHOULD_LINEMERGE=false" in props.conf along with LINE_BREAKER.&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 08:27:48 GMT</pubDate>
    <dc:creator>somesoni2</dc:creator>
    <dc:date>2020-09-29T08:27:48Z</dc:date>
    <item>
      <title>Splunk not breaking events on line break properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73276#M15016</link>
      <description>&lt;P&gt;Ok, I'm at my wits' end here.  I have an application log which produces events of the format:  &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;DEBUG | 2012-02-16 11:01:30,683 [http-10.0.0.1-8443-Processor6] SystemFile  - field1=value1 timestamp=2012-02-16 11:01:30.679 CST   field2=value2   field3=value3   field4=value4   field5= field6=value6   field7=A field value with spaces in it  field8=
DEBUG | 2012-02-16 11:01:32,457 [http-10.0.0.1-8443-Processor10] SystemFile  - field1=value1    timestamp=2012-02-16 11:01:32,450 CST   field2=value2   field3= field4=value4   field5= field6=value6   field7=Another field with spaces in it  field8=value8
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Basically tab-delimited name/value pairs, with nice neat newlines at the end of the lines (I've verified the line breaks and tabs in a hex editor, and all events are being written via the same log4j config).  I -thought- I had it all being parsed just fine, but it appears that the index-time parsing is not &lt;EM&gt;always&lt;/EM&gt; splitting the events on newlines, and I'll end up with two (or three, or four, or five) log lines in one event.  They have different timestamps, so it's not that it's rolling them up into one (the above two events are a sanitzed example of two that got rolled together).  I would suspect it's that the first one ends with an equals sign (no value), but there are plenty of events in the same log that look identical that get split properly.  I'm stumped.  &lt;/P&gt;

&lt;P&gt;My props.conf for the log source looks like: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[MySourceType]
LINE_BREAKER = ([\r\n]+)
REPORT-tab-kv-manual = tab-kv-manual
KV_MODE = NONE
TIME_PREFIX = DEBUG
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 30
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;And my transforms.conf looks like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tab-kv-manual]
REGEX = (\t|- )([^=]+)=([^\t\n]*)
FORMAT = $2::$3
REPEAT_MATCH = true
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Any suggestions?  &lt;/P&gt;</description>
      <pubDate>Thu, 16 Feb 2012 22:32:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73276#M15016</guid>
      <dc:creator>jcfergus</dc:creator>
      <dc:date>2012-02-16T22:32:11Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk not breaking events on line break properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73277#M15017</link>
      <description>&lt;P&gt;I've been there as well, and while it looks like your LINE_BREAKER regex is correct, I think I remember that being a bit more explicit solved the issue:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;LINE_BREAKER = ([\r\n]+)[A-Z]+\s+\|\s+\d+
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, your TIME_PREFIX is just wrong, it should be:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;TIME_PREFIX = ^[A-Z]+\s+\|\s+
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Hope this helps,&lt;/P&gt;

&lt;P&gt;Kristian&lt;/P&gt;</description>
      <pubDate>Fri, 17 Feb 2012 10:23:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73277#M15017</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2012-02-17T10:23:23Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk not breaking events on line break properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73278#M15018</link>
      <description>&lt;P&gt;Did you ever figure this out? Having the same issue. Testing the explicit line breaker currently.&lt;/P&gt;</description>
      <pubDate>Tue, 19 Jan 2016 18:45:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73278#M15018</guid>
      <dc:creator>thisissplunk</dc:creator>
      <dc:date>2016-01-19T18:45:58Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk not breaking events on line break properly</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73279#M15019</link>
      <description>&lt;P&gt;What is your data format? Also, include "SHOULD_LINEMERGE=false" in props.conf along with LINE_BREAKER.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 08:27:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-breaking-events-on-line-break-properly/m-p/73279#M15019</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2020-09-29T08:27:48Z</dc:date>
    </item>
  </channel>
</rss>

