topic Re: How to configure Splunk to not index a line before it is finished writing? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130379#M26812 <P>Hi,<BR /> I know that this is the old question, but it would have saved my day if it was answered before )</P> <P>The answer is to add time_before_close=60 (or another integer) into inputs.conf and all events will index correctly!</P> <P><A href="https://answers.splunk.com/answers/103132/events-are-broken-in-the-middle-of-the-line.html" target="_blank">https://answers.splunk.com/answers/103132/events-are-broken-in-the-middle-of-the-line.html</A><BR /> <A href="https://answers.splunk.com/answers/492950/the-app-is-indexing-event-before-the-tmg-has-write.html" target="_blank">https://answers.splunk.com/answers/492950/the-app-is-indexing-event-before-the-tmg-has-write.html</A></P> Tue, 29 Sep 2020 12:32:43 GMT shbagautdinov 2020-09-29T12:32:43Z How to configure Splunk to not index a line before it is finished writing? https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130374#M26807 <P>We are writing out to a log for which splunk is indexing for most lines okay, but some times splunk indexes before the line has finished writing.</P> <P>This is due to the process in the way the log line is generated. Is there a way to tell splunk to not index the line until the next line is seen?</P> Fri, 21 Nov 2014 16:43:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130374#M26807 BrendanMcE 2014-11-21T16:43:42Z Re: How to configure Splunk to not index a line before it is finished writing? https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130375#M26808 <P>If you are indexing a log file that is tied to a process that is sending buffered output, then you will always have a problem (from my experience). I had a couple of processes that did that, and I had to force the output of the complete buffer, even if it was only partly full. One example was a Curl program that collected output and put it into a file that Splunk indexed. The curl invocation had to be done with the flag that told it not to buffer the output. If I didn't do this, then it would split lines all over the place as it wrote out 4096 bytes at a time.</P> <P>Is this the type of thing you are seeing?</P> Fri, 21 Nov 2014 19:55:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130375#M26808 cpetterborg 2014-11-21T19:55:50Z Re: How to configure Splunk to not index a line before it is finished writing? https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130376#M26809 <P>We are using Jmeter and it starts writing out the line, then adds some more and so on until the line is complete. Splunk indexes it partially.<BR /> Just thought, there might be a way to stop splunk indexing the line until it sees the start of the next line, say the date.</P> Mon, 24 Nov 2014 10:38:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130376#M26809 BrendanMcE 2014-11-24T10:38:51Z Re: How to configure Splunk to not index a line before it is finished writing? https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130377#M26810 <P>How is the Jmeter input configured? Are you sure that there is no "backslash_r" or "backslash_n" hidden in the slow log line? See <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Indexmulti-lineevents" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Indexmulti-lineevents</A> for info on event breaking.</P> Mon, 28 Sep 2020 18:14:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130377#M26810 felipetesta 2020-09-28T18:14:12Z Re: How to configure Splunk to not index a line before it is finished writing? https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130378#M26811 <P>Have you tried MUST_NOT_BREAK_BEFORE set to a newline or carriage return or both?</P> Mon, 28 Sep 2020 18:15:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130378#M26811 cpetterborg 2020-09-28T18:15:07Z Re: How to configure Splunk to not index a line before it is finished writing? https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130379#M26812 <P>Hi,<BR /> I know that this is the old question, but it would have saved my day if it was answered before )</P> <P>The answer is to add time_before_close=60 (or another integer) into inputs.conf and all events will index correctly!</P> <P><A href="https://answers.splunk.com/answers/103132/events-are-broken-in-the-middle-of-the-line.html" target="_blank">https://answers.splunk.com/answers/103132/events-are-broken-in-the-middle-of-the-line.html</A><BR /> <A href="https://answers.splunk.com/answers/492950/the-app-is-indexing-event-before-the-tmg-has-write.html" target="_blank">https://answers.splunk.com/answers/492950/the-app-is-indexing-event-before-the-tmg-has-write.html</A></P> Tue, 29 Sep 2020 12:32:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-not-index-a-line-before-it-is/m-p/130379#M26812 shbagautdinov 2020-09-29T12:32:43Z