https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198980#M39426 <P>Two things,</P> <P>Does your regex match? I should recommend that you escape the opening square bracket, as it has special meaning in regex, like so;</P> <PRE><CODE>[xXx] BREAK_ONLY_BEFORE = Event\[ </CODE></PRE> <P><CODE>SHOULD_LINEMERGE = true</CODE> is a default setting, so it is not strictly needed.</P> <P><CODE>NO_BINARY_CHECK = 1</CODE> is only relevant in the input phase, so keep it there if your indexer is reading the files locally. If they're coming from a forwarder, this setting is ignored. But it won't hurt anything.</P> <P>Alternatively:</P> <P>Do you have the same <CODE>[xXx]</CODE> stanza configured anywhere with the BREAK_ONLY_BEFORE parameter set in a props.conf file that has higher precedence?</P> <PRE><CODE>/etc/system/local </CODE></PRE> <P>beats</P> <PRE><CODE>/etc/apps/app_name/local </CODE></PRE> <P>which in turn beats</P> <PRE><CODE>/etc/system/default </CODE></PRE> <P>See the docs on configuration file precedence;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles</A></P> <P>/K</P> Mon, 28 Sep 2020 15:37:11 GMT kristian_kolb 2020-09-28T15:37:11Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198977#M39423 <P>I have a few universal forwarders which tail a folder structure. They send the data to a indexer where also a searchhead is enabled.</P> <P>I need to specify in props.conf a linebreaker like so</P> <BLOCKQUOTE> <P>[xXx] <BR /> BREAK_ONLY_BEFORE = Event[<BR /> NO_BINARY_CHECK = 1 SHOULD_LINEMERGE =<BR /> true</P> </BLOCKQUOTE> <P>I am confused as to where i have to specify this meaning in what place i have to add it to a props.conf.</P> <P>Not on the universal forwarder i gather... but where on the indexer? in $splunkhome$/etc/apps/Splunk/Forwarder ???</P> <P>To contain all the configuration items for that source/usergroup i created an app and placed this snipped in the apps' /local/props.conf but it fails to separate the events by the string and insted opts for the default which is the timestamp roughly two lines below. (hint: the source is a windows eventlog export that is stripped from the xml for readibility, we feed end user workstations' eventlogs to splunk via a custom store-and-forward mechanism)</P> Mon, 28 Sep 2020 15:37:03 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198977#M39423 dominiquevocat 2020-09-28T15:37:03Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198978#M39424 <P>Under any app, in the local folder for example. Like:<BR /> $splunkhome$/etc/apps/search/local</P> <P>or</P> <P>$splunkhome$/etc/apps/myapp/local</P> <P>It will work anyway</P> Thu, 09 Jan 2014 16:00:54 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198978#M39424 gfuente 2014-01-09T16:00:54Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198979#M39425 <P>cool. that is what i did... why doesn't it work? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 09 Jan 2014 16:55:54 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198979#M39425 dominiquevocat 2014-01-09T16:55:54Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198980#M39426 <P>Two things,</P> <P>Does your regex match? I should recommend that you escape the opening square bracket, as it has special meaning in regex, like so;</P> <PRE><CODE>[xXx] BREAK_ONLY_BEFORE = Event\[ </CODE></PRE> <P><CODE>SHOULD_LINEMERGE = true</CODE> is a default setting, so it is not strictly needed.</P> <P><CODE>NO_BINARY_CHECK = 1</CODE> is only relevant in the input phase, so keep it there if your indexer is reading the files locally. If they're coming from a forwarder, this setting is ignored. But it won't hurt anything.</P> <P>Alternatively:</P> <P>Do you have the same <CODE>[xXx]</CODE> stanza configured anywhere with the BREAK_ONLY_BEFORE parameter set in a props.conf file that has higher precedence?</P> <PRE><CODE>/etc/system/local </CODE></PRE> <P>beats</P> <PRE><CODE>/etc/apps/app_name/local </CODE></PRE> <P>which in turn beats</P> <PRE><CODE>/etc/system/default </CODE></PRE> <P>See the docs on configuration file precedence;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Wheretofindtheconfigurationfiles</A></P> <P>/K</P> Mon, 28 Sep 2020 15:37:11 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198980#M39426 kristian_kolb 2020-09-28T15:37:11Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198981#M39427 <P>for now i get very few logs (once per day a few events) till we ramp up so testing has been difficult. It would seem that the last change took a while to have effect. The last change was placing the props.conf into the custom app on the indexer. It should have worked before but perhaps it was just bad timing... ??? will continue to watch it. Thanks for the reply anyway.</P> Fri, 10 Jan 2014 10:01:30 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-for-input-on-an-universal-forwarder/m-p/198981#M39427 dominiquevocat 2014-01-10T10:01:30Z