https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101503#M21279 <P>You're right, gkanapathy probably made a small mistake. Replace BREAK_ONLY_BEFORE with LINE_BREAKER. </P> <P>/kristian</P> Mon, 28 Sep 2020 10:02:59 GMT kristian_kolb 2020-09-28T10:02:59Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101497#M21273 <P>I have some data that looks like:</P> <P>TIMESTAMP: 2011-10-31 13:51:25<BR /> top - 13:51:25 up 6 days, 19:53, 5 users, load average: 21.00, 20.57, 19.83<BR /> Tasks: 130 total, 0 running, 130 sleeping, 0 stopped, 0 zombie<BR /> Cpu(s): 1.5% us, 0.7% sy, 0.0% ni, 96.4% id, 1.3% wa, 0.0% hi, 0.1% si<BR /> Mem: 32906264k total, 32847544k used, 58720k free, 346852k buffers<BR /> Swap: 33615352k total, 6804k used, 33608548k free, 7764416k cached</P> <P>PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND<BR /> 25772 admin 17 0 22.8g 22g 7040 S 19.9 72.1 10:17.11 rfsd<BR /> 25780 admin 16 0 22.8g 22g 7040 S 19.9 72.1 10:18.01 rfsd<BR /> 25777 admin 16 0 22.8g 22g 7040 S 17.9 72.1 10:18.10 rfsd<BR /> 25459 admin 16 0 22.8g 22g 7040 S 11.9 72.1 8:40.27 rfsd<BR /> 25493 admin 16 0 22.8g 22g 7040 S 6.0 72.1 2:03.05 rfsd</P> <P>TIMESTAMP: 2011-10-31 13:52:25<BR /> top - 13:52:25 up 6 days, 19:53, 5 users, load average: 21.00, 20.57, 19.83<BR /> Tasks: 130 total, 0 running, 130 sleeping, 0 stopped, 0 zombie<BR /> Cpu(s): 1.5% us, 0.7% sy, 0.0% ni, 96.4% id, 1.3% wa, 0.0% hi, 0.1% si<BR /> Mem: 32906264k total, 32847544k used, 58720k free, 346852k buffers<BR /> Swap: 33615352k total, 6804k used, 33608548k free, 7764416k cached</P> <P>PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND<BR /> 25772 admin 17 0 22.8g 22g 7040 S 19.9 72.1 10:17.11 rfsd<BR /> 25780 admin 16 0 22.8g 22g 7040 S 19.9 72.1 10:18.01 rfsd<BR /> 25777 admin 16 0 22.8g 22g 7040 S 17.9 72.1 10:18.10 rfsd<BR /> 25459 admin 16 0 22.8g 22g 7040 S 11.9 72.1 8:40.27 rfsd<BR /> 25493 admin 16 0 22.8g 22g 7040 S 6.0 72.1 2:03.05 rfsd</P> <P>I want to line break only before "TIMESTAMP". Here is my props.conf:</P> <P>[source::/var/log/stats/rfsd_top*]<BR /> SHOULD_LINEMERGE = True<BR /> BREAK_ONLY_BEFORE = TIMESTAMP<BR /> MAX_EVENTS = 400</P> <P>I sometimes get an event with just the "TIMESTAMP.." line while other times I get the correct event intact. The event size is 132 lines. How can I get this to work?</P> Mon, 28 Sep 2020 10:02:49 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101497#M21273 lisheridan 2020-09-28T10:02:49Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101498#M21274 <PRE><CODE>[source::/var/log/stats/rfsd_top*] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)TIMESTAMP: TRUNCATE = 40000 TIME_PREFIX = ^TIMESTAMP: TIME_FORMAT = %Y-%m-%d %H:%M:%S </CODE></PRE> Tue, 01 Nov 2011 00:27:54 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101498#M21274 gkanapathy 2011-11-01T00:27:54Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101499#M21275 <P>Give this stanza a try:</P> <P><CODE>[source::/var/log/stats/rfsd_top*]<BR /> TIME_PREFIX = ^TIMESTAMP:\s+<BR /> TIME_FORMAT= %Y-%m-%d %H:%M:%S<BR /> MAX_TIMESTAMP_LOOKAHEAD = 20<BR /> LINE_BREAKER = ([\r\n]+)(?=^TIMESTAMP:\s+\d{4}\-\d{2}\-\d{2})<BR /> SHOULD_LINEMERGE = false</CODE></P> <P>Hope this helps</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Tue, 01 Nov 2011 00:33:53 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101499#M21275 _d_ 2011-11-01T00:33:53Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101500#M21276 <P>Unfortunately neither of those worked but thx for trying (even with SHOULD_LINEMERGE = true while using BREAK_ONLY_BEFORE).</P> Mon, 28 Sep 2020 10:02:52 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101500#M21276 lisheridan 2020-09-28T10:02:52Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101501#M21277 <P>Shouldn't it be </P> <P>SHOULD_LINEMERGE = true</P> <P>if you are going to use BREAK_ONLY_BEFORE?</P> Mon, 28 Sep 2020 10:02:54 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101501#M21277 lguinn2 2020-09-28T10:02:54Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101502#M21278 <P>To your original stanza, try adding</P> <P>TRUNCATE = 40000</P> <P>MAX_TIMESTAMP_LOOKAHEAD = 42</P> Mon, 28 Sep 2020 10:02:57 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101502#M21278 lguinn2 2020-09-28T10:02:57Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101503#M21279 <P>You're right, gkanapathy probably made a small mistake. Replace BREAK_ONLY_BEFORE with LINE_BREAKER. </P> <P>/kristian</P> Mon, 28 Sep 2020 10:02:59 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101503#M21279 kristian_kolb 2020-09-28T10:02:59Z https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101504#M21280 <P>yes, thank you. corrected above.</P> Tue, 01 Nov 2011 15:04:22 GMT https://community.splunk.com/t5/Getting-Data-In/Multiline-events-not-line-breaking-as-expected/m-p/101504#M21280 gkanapathy 2011-11-01T15:04:22Z