https://community.splunk.com/t5/Getting-Data-In/Web-Logs-Not-Breaking-Correctly/m-p/111972#M23461 <P>I pointed my UF at the web log folder and there are many logs in the folder.</P> <P>Then the UF started reading the *.log files the contents of the log files started coming in as one event per log file rather than breaking on each line.</P> <P>How to i get the logs to break on each line in the log rather than collect the hole file as one event.</P> <P>the UF is sending data to a Intermediate forwarder before going to the indexers. Should I put the linbreaking on the UF or IF</P> <P>What should the breaking look like these are standered IIS log files that start with these three lines at the top of each file</P> <P>`</P> <H1>Software: Microsoft Internet Information Services 6.0 #Version: 1.0</H1> <H1>Date: 2007-01-29 21:02:57</H1> <H1>Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken`</H1> <P>Is there a way to delete and re-index all the files that have been indexed already?</P> Fri, 15 May 2015 15:12:24 GMT hartfoml 2015-05-15T15:12:24Z https://community.splunk.com/t5/Getting-Data-In/Web-Logs-Not-Breaking-Correctly/m-p/111972#M23461 <P>I pointed my UF at the web log folder and there are many logs in the folder.</P> <P>Then the UF started reading the *.log files the contents of the log files started coming in as one event per log file rather than breaking on each line.</P> <P>How to i get the logs to break on each line in the log rather than collect the hole file as one event.</P> <P>the UF is sending data to a Intermediate forwarder before going to the indexers. Should I put the linbreaking on the UF or IF</P> <P>What should the breaking look like these are standered IIS log files that start with these three lines at the top of each file</P> <P>`</P> <H1>Software: Microsoft Internet Information Services 6.0 #Version: 1.0</H1> <H1>Date: 2007-01-29 21:02:57</H1> <H1>Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken`</H1> <P>Is there a way to delete and re-index all the files that have been indexed already?</P> Fri, 15 May 2015 15:12:24 GMT https://community.splunk.com/t5/Getting-Data-In/Web-Logs-Not-Breaking-Correctly/m-p/111972#M23461 hartfoml 2015-05-15T15:12:24Z https://community.splunk.com/t5/Getting-Data-In/Web-Logs-Not-Breaking-Correctly/m-p/111973#M23462 <P>I added these lines to the $SPLUNK_HOME/etc/system/local/props.conf file and that fixed the braking</P> <P>[iis] <BR /> pulldown_type = true <BR /> MAX_TIMESTAMP_LOOKAHEAD = 32 <BR /> SHOULD_LINEMERGE = False <BR /> CHECK_FOR_HEADER = true</P> <P>I got this from this answer <A href="http://answers.splunk.com/answers/36/how-to-extract-fields-from-iis-default-log-file-format-w3c-extended-logs-with-splunk.html" target="_blank">How to extract fields from IIS default log file format ...</A></P> Mon, 28 Sep 2020 19:58:38 GMT https://community.splunk.com/t5/Getting-Data-In/Web-Logs-Not-Breaking-Correctly/m-p/111973#M23462 hartfoml 2020-09-28T19:58:38Z