topic Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239001#M46422 <P>Hi,</P> <P>I have a forwarder on a Windows server that is pulling logs from a folder. Logs are in a single file (multiple lines - each line per event).<BR /> Each event for that index contains multiple lines in Splunk.<BR /> I would like Splunk to separate lines so each line appears as a new event.<BR /> Please help me achieve this. I want to extract fields, but to do it, I need to have each line as a separate event.</P> <P>Right now events look like this:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1538iA68430E2FAF53F4E/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 06 Jul 2016 18:39:23 GMT pashtet13 2016-07-06T18:39:23Z Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239001#M46422 <P>Hi,</P> <P>I have a forwarder on a Windows server that is pulling logs from a folder. Logs are in a single file (multiple lines - each line per event).<BR /> Each event for that index contains multiple lines in Splunk.<BR /> I would like Splunk to separate lines so each line appears as a new event.<BR /> Please help me achieve this. I want to extract fields, but to do it, I need to have each line as a separate event.</P> <P>Right now events look like this:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1538iA68430E2FAF53F4E/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 06 Jul 2016 18:39:23 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239001#M46422 pashtet13 2016-07-06T18:39:23Z Re: Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239002#M46423 <P>What you need is to configure Line breaking for your log on Indexer/Heavy forwarder. Have a look at this to understand how splunk processes a log file data</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configureeventlinebreaking">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configureeventlinebreaking</A></P> <P>So, configure following on your indexer/Heavy forwarder</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) </CODE></PRE> Wed, 06 Jul 2016 18:46:32 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239002#M46423 somesoni2 2016-07-06T18:46:32Z Re: Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239003#M46424 <P><CODE>SHOULD_LINEMERGE = false</CODE> in <CODE>props.conf</CODE> for the source, should do it.</P> Wed, 06 Jul 2016 18:50:35 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239003#M46424 ddrillic 2016-07-06T18:50:35Z Re: Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239004#M46425 <P>Thanks. I saw this document before. The issue is that there is no props.conf file in $SPLUNK_HOME/etc/system/local/<BR /> Our Splunk was initially configured by the consultant, that's why it's hard to make changes now.<BR /> I am pulling data with the deployment app I created. Should I create a props.conf file under the app itself?</P> Wed, 06 Jul 2016 19:24:42 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239004#M46425 pashtet13 2016-07-06T19:24:42Z Re: Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239005#M46426 <P>Just create a new props.conf file with the desired configuration in $SPLUNK_HOME/etc/system/local/ on your indexer.</P> <P>Make sure to restart Splunk to apply the changes.</P> Thu, 07 Jul 2016 06:47:15 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239005#M46426 aosso 2016-07-07T06:47:15Z Re: Monitoring logs on a Windows forwarder, how do I configure line breaking so each line is a separate event? https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239006#M46427 <P>Ideally you'll want to deploy as many changes as possible using the Deployment Server if you have one. But if you can't figure that out, than yes the changes mentioned above should get you where you need to go. </P> Thu, 07 Jul 2016 12:03:06 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-logs-on-a-Windows-forwarder-how-do-I-configure-line/m-p/239006#M46427 ryanoconnor 2016-07-07T12:03:06Z