topic Re: splunk ignoring LINE_BREAKER in Getting Data In

splunk ignoring LINE_BREAKER

phemmer — Wed, 13 Jan 2016 19:00:52 GMT

I've configured a source type in props.conf with LINE_BREAKER = (\n+) to remove the \r from the default value. This was done so that we can send multi-line events using \r as the delimiter between lines, and \n as the delimiter between events.
The problem however is that splunk is still breaking messages into multiple events on the \r character.

Any ideas why?

Here's an example.
This screenshot is the tcpdump output of a 2-line message, where the second line should be this is line 2.

Here's the event as shown by the search app.

Here's the active sourcetype configuration:

The etc/system/local/props.conf on the indexer nodes:

[syslog]
LINE_BREAKER = (\n+)

Re: splunk ignoring LINE_BREAKER

alemarzu — Wed, 13 Jan 2016 19:09:17 GMT

Hi there phemmer,

Would you mind to paste the sample data ?

Re: splunk ignoring LINE_BREAKER

s2_splunk — Wed, 13 Jan 2016 19:13:50 GMT

The sourcetype definition in your screenshot does not match what you list under etc/system/local/props.conf on the indexer nodes!? Looks like you have defined the sourcetype in the app called "AppsBrowser", can you share the props.conf file from etc/apps/appsBrowser/local, please?

Re: splunk ignoring LINE_BREAKER

richgalloway — Tue, 29 Sep 2020 08:22:42 GMT

The Admin manual says LINE_BREAKER should only be used when SHOULD_LINEMERGE=false. It also says BREAK_ONLY_BEFORE only applies if SHOULD_LINEMERGE=true so it doesn't make sense to have both LINE_BREAKER and BREAK_ONLY_BEFORE in the same sourcetype. Also, while LINE_BREAKER requires a capturing group there is no explicit requirement for a capturing group in BREAK_ONLY_BEFORE.

Re: splunk ignoring LINE_BREAKER

phemmer — Wed, 13 Jan 2016 20:05:22 GMT

@alemarzu sorry, looks like the screenshots broke. I uploaded them to an image host.

@ssievert: I don't know why that shows "AppsBrowser". I've never touched that. There is no etc/appsbrowser/local, and etc/appsbrowser/default has no props.conf.

@richgalloway: That is the default, so I just left it alone for now. However if SHOULD_LINEMERGE were causing a problem, there would be too many lines in a single event, which is the opposite of my problem.

Re: splunk ignoring LINE_BREAKER

phemmer — Thu, 14 Jan 2016 02:39:34 GMT

Figured it out.
We had an app which was doing transforms on syslog sources. However the regex it was using used .* to match all data, but . doesn't match carriage return (by default).
I tweaked the regex the app uses to add (?s) to set the regex flag letting it match.