https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130047#M26758 <P>Thanks. I'm also going to look at the SEDCMD, which allows me to run sed commands against the stream.</P> Tue, 15 Apr 2014 00:03:49 GMT a212830 2014-04-15T00:03:49Z https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130043#M26754 <P>Hi,</P> <P>I have a new multi-line feed that needs to be put into SPlunk, and it's one of the more challenging ones that I've run into.</P> <P>The line will start with a number, followed by a colon ":", and then the word Bandwidth, followed by another colon. It could then have variables lines, and it ends with "Name:" and some value. Examples are below. The file also has other info, but I don't want that. Oh yeah, it's on Windows. No idea where to even start on this one (besides, Mad Men and GOT is on tv tonight!).</P> <PRE><CODE>SubZone: 1: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "SLC_SZ" 2: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "Canaada_SZ" 3: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "SLC American Fork_SZ" 4: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "UK_SZ" 5: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "Japan_SZ" 6: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "Hong Kong_SZ" 7: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "Taiwan_SZ" 8: Bandwidth: ClusterUsage: "0" LocalUsage: "0" Name: "India_SZ" </CODE></PRE> Mon, 14 Apr 2014 00:38:35 GMT https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130043#M26754 a212830 2014-04-14T00:38:35Z https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130044#M26755 <P>Hello,<BR /> You can use props.conf to manage that in indexer end.</P> <P><CODE>BREAK_ONLY_BEFORE=\d:</CODE></P> <P>will make sure the events break at only with a number and colon.</P> <P>Thanks</P> Mon, 14 Apr 2014 05:05:20 GMT https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130044#M26755 linu1988 2014-04-14T05:05:20Z https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130045#M26756 <P>Thanks. I got that working. Any suggestion on filtering out (or filtering in) in this type of situation? The event should start with a number, followed by a colon, and end with "Name:" and some value. Anything that doesn't meet that criteria should be filtered.</P> Mon, 14 Apr 2014 19:33:33 GMT https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130045#M26756 a212830 2014-04-14T19:33:33Z https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130046#M26757 <P>Best option always will be setting the start or end. I see start is the better way. There is not much pattern to redirect the inputs to null queue. So better leave it that way. it will be very hard to filter lines inbetween your multi line event. If it solves the issue mark it as an answer...</P> Mon, 14 Apr 2014 19:38:14 GMT https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130046#M26757 linu1988 2014-04-14T19:38:14Z https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130047#M26758 <P>Thanks. I'm also going to look at the SEDCMD, which allows me to run sed commands against the stream.</P> Tue, 15 Apr 2014 00:03:49 GMT https://community.splunk.com/t5/Getting-Data-In/line-breaking-question/m-p/130047#M26758 a212830 2014-04-15T00:03:49Z