topic ESXi Events Splitting line by line in Getting Data In https://community.splunk.com/t5/Getting-Data-In/ESXi-Events-Splitting-line-by-line/m-p/215888#M42463 <P>Splunk is splitting each line into an event instead of grouping the whole block as one event. I've tried a few fixes for this host in C:\Program Files\Splunk\etc\system\local\props.conf. (I removed the actual IP below and replaced it with "hostname")</P> <P>My ESXi host's hostd logs on the host look like below:</P> <HR /> <P>2016-08-08T19:16:29.145Z [3C481B70 error 'SoapAdapter']<BR /> --&gt; Required parameter querySpec is missing<BR /> --&gt;<BR /> --&gt; while parsing call information for method QueryPerf<BR /> --&gt; at line 1, column 285<BR /> --&gt;<BR /> --&gt; while parsing SOAP body<BR /> --&gt; at line 1, column 271<BR /> --&gt;<BR /> --&gt; while parsing SOAP envelope<BR /> --&gt; at line 1, column 38<BR /> --&gt;<BR /> --&gt; while parsing HTTP request for method queryStats<BR /> --&gt; on object of type vim.PerformanceManager<BR /> --&gt; at line 1, column 0</P> <HR /> <P>My props.conf additions look like the below:</P> <P><STRONG>This did nothing - events came in the same</STRONG><BR /> [host::hostname]<BR /> BREAK_ONLY_BEFORE_DATE = true<BR /> SHOULD_LINEMERGE = true</P> <P><STRONG>No difference once again</STRONG><BR /> [host::hostname]<BR /> TIME_PREFIX = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z)<BR /> BREAK_ONLY_BEFORE_DATE = true<BR /> SHOULD_LINEMERGE = true</P> <P><STRONG>This one removed the dates, but still broke it out on each line</STRONG><BR /> [host::hostname]<BR /> LINE_BREAKER = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z)</P> <P>Any ideas what I can do next? It seems like Splunk is finding a timestamp on each line, but I don't see where it's getting that.</P> <P>Thanks!</P> Tue, 29 Sep 2020 10:32:39 GMT ironalsa 2020-09-29T10:32:39Z ESXi Events Splitting line by line https://community.splunk.com/t5/Getting-Data-In/ESXi-Events-Splitting-line-by-line/m-p/215888#M42463 <P>Splunk is splitting each line into an event instead of grouping the whole block as one event. I've tried a few fixes for this host in C:\Program Files\Splunk\etc\system\local\props.conf. (I removed the actual IP below and replaced it with "hostname")</P> <P>My ESXi host's hostd logs on the host look like below:</P> <HR /> <P>2016-08-08T19:16:29.145Z [3C481B70 error 'SoapAdapter']<BR /> --&gt; Required parameter querySpec is missing<BR /> --&gt;<BR /> --&gt; while parsing call information for method QueryPerf<BR /> --&gt; at line 1, column 285<BR /> --&gt;<BR /> --&gt; while parsing SOAP body<BR /> --&gt; at line 1, column 271<BR /> --&gt;<BR /> --&gt; while parsing SOAP envelope<BR /> --&gt; at line 1, column 38<BR /> --&gt;<BR /> --&gt; while parsing HTTP request for method queryStats<BR /> --&gt; on object of type vim.PerformanceManager<BR /> --&gt; at line 1, column 0</P> <HR /> <P>My props.conf additions look like the below:</P> <P><STRONG>This did nothing - events came in the same</STRONG><BR /> [host::hostname]<BR /> BREAK_ONLY_BEFORE_DATE = true<BR /> SHOULD_LINEMERGE = true</P> <P><STRONG>No difference once again</STRONG><BR /> [host::hostname]<BR /> TIME_PREFIX = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z)<BR /> BREAK_ONLY_BEFORE_DATE = true<BR /> SHOULD_LINEMERGE = true</P> <P><STRONG>This one removed the dates, but still broke it out on each line</STRONG><BR /> [host::hostname]<BR /> LINE_BREAKER = (\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z)</P> <P>Any ideas what I can do next? It seems like Splunk is finding a timestamp on each line, but I don't see where it's getting that.</P> <P>Thanks!</P> Tue, 29 Sep 2020 10:32:39 GMT https://community.splunk.com/t5/Getting-Data-In/ESXi-Events-Splitting-line-by-line/m-p/215888#M42463 ironalsa 2020-09-29T10:32:39Z Re: ESXi Events Splitting line by line https://community.splunk.com/t5/Getting-Data-In/ESXi-Events-Splitting-line-by-line/m-p/215889#M42464 <P>Is the IP address what you see in the host field when you search your esxi log data? Thats the value you have to put into the hostname in [host::hostname]. You might want to consider just using a sourcetype instead, that way any esxi logs can be treated the same way. </P> <P>Try this:</P> <PRE><CODE>[host::hostname] LINE_BREAKER=(\v+)(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3} SHOULD_LINEMERGE=False TIME_FORMAT=%FT%H:%M:%S.%3N TIME_PREFIX=^ </CODE></PRE> Tue, 09 Aug 2016 05:46:50 GMT https://community.splunk.com/t5/Getting-Data-In/ESXi-Events-Splitting-line-by-line/m-p/215889#M42464 Jeremiah 2016-08-09T05:46:50Z