https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123879#M25554 <P>Hello, I have logs with some events. My events start from:"main: number of bytes received: " and finish to:"msgsnd_w_retry [dst task: COMMSINT, time: 27/03/2011 09:48:31.0157]: Send msg to queue 34504712". I use line Line breaker: <CODE>"LINE_BREAKER= (^.)*+Send\s+msg\s+to\s+queue\s+\d* (\n)* (^.)*+\v*+\s*+main+:+\s*+number+\s*+of+\s*+bytes+\s*+received+:+\s*+\d"</CODE> and I want to see only my event . But It doesn't not work. Help mу pls.</P> Mon, 28 Sep 2020 20:03:26 GMT DuXa 2020-09-28T20:03:26Z https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123879#M25554 <P>Hello, I have logs with some events. My events start from:"main: number of bytes received: " and finish to:"msgsnd_w_retry [dst task: COMMSINT, time: 27/03/2011 09:48:31.0157]: Send msg to queue 34504712". I use line Line breaker: <CODE>"LINE_BREAKER= (^.)*+Send\s+msg\s+to\s+queue\s+\d* (\n)* (^.)*+\v*+\s*+main+:+\s*+number+\s*+of+\s*+bytes+\s*+received+:+\s*+\d"</CODE> and I want to see only my event . But It doesn't not work. Help mу pls.</P> Mon, 28 Sep 2020 20:03:26 GMT https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123879#M25554 DuXa 2020-09-28T20:03:26Z https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123880#M25555 <P>The LINE_BREAKER statement is an unquoted regex string that defines the text that comes <EM>between</EM> events. A capturing group is required and the contents of that group will be discarded. You probably want something like:</P> <PRE><CODE>LINE_BREAKER = ([\r\n])main: </CODE></PRE> Wed, 27 May 2015 15:56:29 GMT https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123880#M25555 richgalloway 2015-05-27T15:56:29Z https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123881#M25556 <P>Yes, I want this, but i don't how how to write?</P> Wed, 27 May 2015 16:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123881#M25556 DuXa 2015-05-27T16:33:16Z https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123882#M25557 <P>Use a site like regex101.com to find a regex string that finds the separators between your events. Put that regex string in your local/props.conf file under the appropriate stanza. Restart Splunk for the change to take effect.</P> Wed, 27 May 2015 17:12:52 GMT https://community.splunk.com/t5/Getting-Data-In/HOW-TO-USE-LINE-BREAKER-3/m-p/123882#M25557 richgalloway 2015-05-27T17:12:52Z