https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216637#M42628 <P>Hi everyone,</P> <P>I've got an application sending data to splunk, which are split over multiple lines instead to keep everything on the same line.</P> <P>When I redirect my data to a file instead of splunk, I can find that the ascii code #012 is sent as part of the string.</P> <P><STRONG>Example:</STRONG></P> <PRE><CODE>... #012Change details : #012filewrite#012 ... </CODE></PRE> <P><STRONG>Which are split in multiples lines in splunk:</STRONG></P> <PRE><CODE>... 9/29/16 3:25:30.000 AM filewrite host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog 9/29/16 3:25:30.000 AM Change details : host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog ... </CODE></PRE> <P>Is there any way to replace the ASCII code #012 before to index it into splunk ?</P> <P>I've try to add this config in my props.conf, but it did not solved it.</P> <PRE><CODE>[syslog] LINE_BREAKER=#012 SHOULD_LINEMERGE=true </CODE></PRE> <P>And also this one: </P> <PRE><CODE>[syslog] SEDCMD-fim = s/\#012/ /g </CODE></PRE> <P>Thanks for your support.</P> Thu, 29 Sep 2016 03:42:39 GMT vlours 2016-09-29T03:42:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216637#M42628 <P>Hi everyone,</P> <P>I've got an application sending data to splunk, which are split over multiple lines instead to keep everything on the same line.</P> <P>When I redirect my data to a file instead of splunk, I can find that the ascii code #012 is sent as part of the string.</P> <P><STRONG>Example:</STRONG></P> <PRE><CODE>... #012Change details : #012filewrite#012 ... </CODE></PRE> <P><STRONG>Which are split in multiples lines in splunk:</STRONG></P> <PRE><CODE>... 9/29/16 3:25:30.000 AM filewrite host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog 9/29/16 3:25:30.000 AM Change details : host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog ... </CODE></PRE> <P>Is there any way to replace the ASCII code #012 before to index it into splunk ?</P> <P>I've try to add this config in my props.conf, but it did not solved it.</P> <PRE><CODE>[syslog] LINE_BREAKER=#012 SHOULD_LINEMERGE=true </CODE></PRE> <P>And also this one: </P> <PRE><CODE>[syslog] SEDCMD-fim = s/\#012/ /g </CODE></PRE> <P>Thanks for your support.</P> Thu, 29 Sep 2016 03:42:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216637#M42628 vlours 2016-09-29T03:42:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216638#M42629 <P>The #012 is ascii code for \n, so that is why events are getting split (default LINE_BREAKER is <CODE>([\r\n]+)</CODE>). You second configuration with SEDCMD will not work as SEDCMD executes after events are broken.</P> <P>How does your data looks like when you redirect it to a file (sample entries, mask any sensitive data)? You probably have to setup correct LINE_BREAKER (assuming you're data is directly coming to indexer/heavy forwarder) to split it correctly.</P> Thu, 29 Sep 2016 05:10:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216638#M42629 somesoni2 2016-09-29T05:10:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216639#M42630 <P>Hi somesoni2,</P> <P>Actually, I did not test it with the default LINE_BREAKER, as I was fighting with my #012 value.<BR /> Setting the default value LINE_BREAKER and the SHOULD_LINEMERGE is working fine. </P> <P>So, I've put the following in my props.conf:<BR /> <EM>[syslog]<BR /> LINE_BREAKER=([\r\n]+)<BR /> SHOULD_LINEMERGE=true</EM></P> <P>Thanks a lot.<BR /> Have a great day.</P> Tue, 29 Sep 2020 11:11:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216639#M42630 vlours 2020-09-29T11:11:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216640#M42631 <P>As explain by <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a>, the #012 is is ascii code for \n</P> <P>So to solve it, I've include the following in my props.conf:<BR /> <EM>[syslog]<BR /> LINE_BREAKER=([\r\n]+)<BR /> SHOULD_LINEMERGE=true</EM></P> <P>My data are now merged correctly in one line.</P> Tue, 29 Sep 2020 11:11:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-remove-an-invalid-line-breaker-from-syslog-before/m-p/216640#M42631 vlours 2020-09-29T11:11:33Z