https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30016#M5209 <P>If you are using a buffered logger where there may be delays, this is likely the problem. Splunk will flush the file with a _doneKey after a certain time:</P> <P><A href="http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf</A></P> <PRE><CODE>time_before_close = &lt;integer&gt; * Modtime delta required before Splunk can close a file on EOF. * Tells the system not to close files that have been updated in past &lt;integer&gt; seconds. * Defaults to 3. </CODE></PRE> <P>By the way, the below should be sufficient:</P> <PRE><CODE>[my_log] BREAK_ONLY_BEFORE = \-\-\-\sbegin MAX_EVENTS = 10000 TRUNCATE = 100000 </CODE></PRE> Sat, 22 Jan 2011 04:38:42 GMT araitz 2011-01-22T04:38:42Z https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30014#M5207 <P>Hello, I have a big log file that is set to be sourcetype=my_log and it basically looks like this:</P> <PRE><CODE>--- begin_request --- blah blah blah blah --- end_request --- --- begin_request --- blah blah --- end_request --- </CODE></PRE> <P>and so on. With props.conf configuration below events are correctly split most of the time but sometimes they are just split somewhere in the middle. This happens to small and large events. </P> <PRE><CODE>[my_log] BREAK_ONLY_BEFORE_DATE = False SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = --- begin_request --- MUST_NOT_BREAK_AFTER = --- begin_request --- MUST_BREAK_AFTER = --- end_request --- MAX_EVENTS = 10000 TRUNCATE = 100000 </CODE></PRE> <P>App that produces my_log uses a buffered logger so there are random and periodic delays of how log data is flushed into the log file and it is definitely possible that a single event will not be flushed to disk as a whole. That might be the cause for the strange event splits but I'm not sure.</P> <P>Any ideas?</P> Fri, 21 Jan 2011 07:52:45 GMT https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30014#M5207 cppforlife 2011-01-21T07:52:45Z https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30015#M5208 <P>No solution to the breaking problem, but have you considered using transactions to achieve the same thing? Have Splunk index the events line by line but group them together as transactions using startswith="--- begin_request ---" and endswith="--- end_request ---".</P> Fri, 21 Jan 2011 19:24:49 GMT https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30015#M5208 Ayn 2011-01-21T19:24:49Z https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30016#M5209 <P>If you are using a buffered logger where there may be delays, this is likely the problem. Splunk will flush the file with a _doneKey after a certain time:</P> <P><A href="http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf</A></P> <PRE><CODE>time_before_close = &lt;integer&gt; * Modtime delta required before Splunk can close a file on EOF. * Tells the system not to close files that have been updated in past &lt;integer&gt; seconds. * Defaults to 3. </CODE></PRE> <P>By the way, the below should be sufficient:</P> <PRE><CODE>[my_log] BREAK_ONLY_BEFORE = \-\-\-\sbegin MAX_EVENTS = 10000 TRUNCATE = 100000 </CODE></PRE> Sat, 22 Jan 2011 04:38:42 GMT https://community.splunk.com/t5/Getting-Data-In/multiline-events-using-line-merge-weird-splitting-issue/m-p/30016#M5209 araitz 2011-01-22T04:38:42Z