https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/153255#M31182 <P>I think it can happen when two events arrive "simultaneously" from the input. Or something. But it is <EM>very easy</EM> to fix.</P> <P>In <CODE>props.conf</CODE> add this stanza (or add the statement to the existing stanza for the sourcetype)</P> <PRE><CODE>[yoursourcetypehere] SHOULD_LINEMERGE = false </CODE></PRE> <P>This tells Splunk that every line is a separate event.</P> Mon, 05 May 2014 22:29:16 GMT lguinn2 2014-05-05T22:29:16Z https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/153254#M31181 <P>Guys, I'm trying to index some Syslog data from some F5's. The issue I have is, Splunk seems to recognize and break log lines correctly, a majority of the time, but, sometimes, lumps more than a single event into one event. There is not difference in the log lines. Here's an example:</P> <P>2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 795</P> <P>2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_acc] 127.0.0.1 - - [05/May/2014:14:53:19 -0600] "/iControl/iControlPortal.cgi" 200 950</P> <P>The above 2 lines were correctly detected as two separate events.</P> <P>However, all 7 lines below were detected as ONE event. They shouldn't because the time stamp is pretty clear on each log event.</P> <P>2014-05-05 14:53:19 Local6.Info 10.0.2.64 May 5 14:53:19 DR0-f5-02 info logger: [ssl_req][05/May/2014:14:53:19 -0600] 127.0.0.1 TLSv1 AES256-SHA "/iControl/iControlPortal.cgi" 950<BR /> 2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice bigd[7342]: 01060001:5: Service detected UP for ::ffff:10.0.36.23%149:443 monitor /Common/xxxx<BR /> 2014-05-05 14:53:19 Local0.Notice 10.0.2.64 May 5 14:53:19 DR0-f5-02 notice mcpd[7130]: 01070727:5: Pool /Common/--test-- member /Common/dddd:0 monitor status up. [ /Common/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_HTTPS: up ] [ was down for 0hr:0min:6sec ]<BR /> 2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm1[10172]: 01010221:3: Pool /Common/--test-- now has available members<BR /> 2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm[10172]: 01010221:3: Pool /Common/--test-- now has available members<BR /> 2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm2[10172]: 01010221:3: Pool /Common/--test-- now has available members<BR /> 2014-05-05 14:53:19 Local0.Error 10.0.2.64 May 5 14:53:19 DR0-f5-02 err tmm3[10172]: 01010221:3: Pool /Common/--test-- now has available members</P> <P>Could you guys give me any ideas for what would be going on, why does the 2 lines above get parsed correctly and not the following ones ? <BR /> Thank you guys, any help would be appreciated.</P> Mon, 05 May 2014 22:09:21 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/153254#M31181 salles 2014-05-05T22:09:21Z https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/153255#M31182 <P>I think it can happen when two events arrive "simultaneously" from the input. Or something. But it is <EM>very easy</EM> to fix.</P> <P>In <CODE>props.conf</CODE> add this stanza (or add the statement to the existing stanza for the sourcetype)</P> <PRE><CODE>[yoursourcetypehere] SHOULD_LINEMERGE = false </CODE></PRE> <P>This tells Splunk that every line is a separate event.</P> Mon, 05 May 2014 22:29:16 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-line-breaking/m-p/153255#M31182 lguinn2 2014-05-05T22:29:16Z