topic Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233948#M45581 <P>Can you let us know exactly what your props.conf looks like for this sourcetype now? </P> Mon, 11 Jul 2016 14:13:16 GMT ryanoconnor 2016-07-11T14:13:16Z Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233942#M45575 <P>I am using the following configuration in props.conf. It is splitting most of the events correctly, but 2 or 3 events are collapsed. Should I need to include <CODE>SHOULD_LINEMERGE = false</CODE>?</P> <PRE><CODE>[my_source_type] NO_BINARY_CHECK = true BREAK_ONLY_BEFORE = ^\d{1,11}\s?,(([^\,]+)?\,?\.?),(([^\,]+)?\,?\.?) MAX_TIMESTAMP_LOOKAHEAD = 100 TIME_FORMAT = %Y%m%d%H%M%S%6N TIME_PREFIX = ^(?:[^,\n]*,){7} disabled = false pulldown_type = true </CODE></PRE> <P>This is a .dat file and it has more than 8000 events on a single file. </P> <P>Sample data</P> <P><STRONG>Actual events</STRONG></P> <PRE><CODE>07986376244,Mrs,xxxx,40369036,29.06.2016,14:00,21:00,20160628070106529271,/ablive/data/xx/serial/yy/DISTRIBUTION/DELIVERY/delivery_messages_inbound/pending/./MessageReminderPM201606280700120000.csv,MessageReminderPM201606280700120000.csv,38,4c7ca670-eddf-4362-8f4b-20ea99007a0b,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-1b5a,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-1bca,2016-06-28T07:02:23.224Z,2016-06-28T07:02:26.890Z,44,GB,Scheduled,Success,SUCCESS,SUCCESS 07941158158,Mr,yyyyy,40360516,29.06.2016,14:00,21:00,20160628070106516893,/ablive/data/xx/serial/yy/DISTRIBUTION/DELIVERY/delivery_messages_inbound/pending/./MessageReminderPM201606280700120000.csv,MessageReminderPM201606280700120000.csv,36,4a140e0f-69e4-44d3-a5ce-dfb186c9a081,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-19c6,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-1a2f,2016-06-28T07:02:17.050Z,2016-06-28T07:02:19.816Z,44,GB,Scheduled,Success,SUCCESS,SUCCESS </CODE></PRE> <P><STRONG>indexed events</STRONG></P> <PRE><CODE>ELIVERY/delivery_messages_inbound/pending/./MessageReminderPM201606280700120000.csv,MessageReminderPM201606280700120000.csv,38,4c7ca670-eddf-4362-8f4b-20ea99007a0b,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-1b5a,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-1bca,2016-06-28T07:02:23.224Z,2016-06-28T07:02:26.890Z,44,GB,Scheduled,Success,SUCCESS,SUCCESS xx/serial/JL/DISTRIBUTION/DELIVERY/delivery_messages_inbound/pending/./MessageReminderPM201606280700120000.csv,MessageReminderPM201606280700120000.csv,36,4a140e0f-69e4-44d3-a5ce-dfb186c9a081,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-19c6,225b00fe-26-a633-5e21f14e2-ac168f26_5772129e_37501fc-1a2f,2016-06-28T07:02:17.050Z,2016-06-28T07:02:19.816Z,44,GB,Scheduled,Success,SUCCESS,SUCCESS 07986356244,Mrs,Mason,40369036,29.06.2016,14:00,21:00,20160628070106529271,/ablive/data/xx/serial/yy/DISTRIBUTION/D 07941156158,Mr,Hurley,40360516,29.06.2016,14:00,21:00,20160628070106516893,/ablive/data/ </CODE></PRE> <P>Thanks in advance </P> Wed, 29 Jun 2016 07:22:26 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233942#M45575 arunloganathan 2016-06-29T07:22:26Z Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233943#M45576 <P>This appears to be a csv file. Have you tried indexed_extractions? </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Extractfieldsfromfileswithstructureddata">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Extractfieldsfromfileswithstructureddata</A></P> Fri, 08 Jul 2016 17:22:44 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233943#M45576 sundareshr 2016-07-08T17:22:44Z Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233944#M45577 <P>You should specify SHOULD_LINEMERGE = true if you want to use BREAK_ONLY_BEFORE, etc. It's not required though.</P> <P>Sorry for so many versions of this answer... i get confused on this one all the time <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Here's the section in props.conf:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Propsconf#Line_breaking" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Propsconf#Line_breaking</A></P> <P>See if this works:</P> <P>BREAK_ONLY_BEFORE = \d{1,11}\s?,(([^\,]+)?\,?.?),(([^\,]+)?\,?.?)</P> <P>Note about BREAK_ONLY_BEFORE<BR /> * When set, Splunk creates a new event <STRONG><EM>only if it encounters a new line that<BR /> matches the regular expression</EM></STRONG></P> <P>I like the idea of using INDEXED_EXTRACTIONS = CSV instead.</P> Tue, 29 Sep 2020 10:10:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233944#M45577 jkat54 2020-09-29T10:10:50Z Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233945#M45578 <P>Just to note, it's recommended to <STRONG>not</STRONG> use SHOULD_LINEMERGE = true if you can help it. You'll notice significant performance gains by not using that setting as it rules out an entire portion of the data pipeline. </P> Fri, 08 Jul 2016 18:42:25 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233945#M45578 ryanoconnor 2016-07-08T18:42:25Z Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233946#M45579 <P>Give this a try</P> <PRE><CODE> [my_source_type] NO_BINARY_CHECK = true LINE_BREAKER= ([\r\n]+)(\d{1,11}\s?,(([^\,]+)?\,?\.?),(([^\,]+)?\,?\.?)) MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %Y%m%d%H%M%S%6N TIME_PREFIX = ^(?:[^,\n]*,){7} SHOULD_LINEMERGE = false </CODE></PRE> Fri, 08 Jul 2016 21:39:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233946#M45579 somesoni2 2016-07-08T21:39:20Z Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233947#M45580 <P>i tired indexed_extractions as csv. All events get merged as 1 single event</P> Mon, 11 Jul 2016 09:52:30 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233947#M45580 arunloganathan 2016-07-11T09:52:30Z Re: Why is BREAK_ONLY_BEFORE not working as expected for all my events? https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233948#M45581 <P>Can you let us know exactly what your props.conf looks like for this sourcetype now? </P> Mon, 11 Jul 2016 14:13:16 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-BREAK-ONLY-BEFORE-not-working-as-expected-for-all-my/m-p/233948#M45581 ryanoconnor 2016-07-11T14:13:16Z