https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31027#M5451 <P>Thank you but no luck.. :(.. Any more suggestions??</P> Tue, 13 Nov 2012 03:48:53 GMT raju_dara 2012-11-13T03:48:53Z https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31025#M5449 <P>Below is the app log content and the configuration parameters in props.conf. Not sure what is going wrong.. Output is all messed up and I dont see the events getting generated seperatly.. Any help??</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;1234</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY</P> <P>;ZZZZ</P> <P>;ZZZY</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUUU</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUU1</P> <P>;ZZRZ</P> <P>;ZZRY</P> <P><EM>TRUNCATE=240000<BR /> TIME_PREFIX = ^Timestamp:\s<BR /> TIME_FORMAT= %m/%d/%Y %H:%M:%S<BR /> LINE_BREAKER = ([\r\n]+)(?=Timestamp:\s)<BR /> SHOULD_LINEMERGE=false</EM></P> <P>This is what I am expecting on SPLUNK<BR /> Event One<BR /> 11/12/2012 07:59 V XXXXXX YYY ;YYYY;1234</P> <P>Event two</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY</P> <P>;ZZZZ</P> <P>;ZZZY</P> <P>Event three..</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUUU</P> <P>11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUU1</P> <P>;ZZRZ</P> <P>;ZZRY</P> Mon, 28 Sep 2020 12:47:16 GMT https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31025#M5449 raju_dara 2020-09-28T12:47:16Z https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31026#M5450 <P>You do not need a time prefix or a line breaker. Try</P> <PRE><CODE>TRUNCATE=240000 TIME_FORMAT= %m/%d/%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=30 SHOULD_LINEMERGE=false BREAK_ONLY_BEFORE_DATE = true </CODE></PRE> <P>You don't actually need the last 2 lines either, as these are the defaults. And MAX_TIMESTAMP_LOOKAHEAD is just for efficiency.</P> Mon, 28 Sep 2020 12:47:21 GMT https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31026#M5450 lguinn2 2020-09-28T12:47:21Z https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31027#M5451 <P>Thank you but no luck.. :(.. Any more suggestions??</P> Tue, 13 Nov 2012 03:48:53 GMT https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31027#M5451 raju_dara 2012-11-13T03:48:53Z https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31028#M5452 <P>Below is the output.. Last 3 lines should be part of Event2.. </P> <P>Event 1<BR /> 11/12/2012 07:59 V XXXXXX YYY ;YYYY;1234<BR /> Event 2<BR /> 11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY<BR /> Event 3<BR /> ;ZZZZ<BR /> Event 4<BR /> ;ZZZY</P> Tue, 13 Nov 2012 05:42:05 GMT https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31028#M5452 raju_dara 2012-11-13T05:42:05Z https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31029#M5453 <P>You won't see Event 3 and Event 4 merged into Event 2 as long as SHOULD_LINEMERGE is set to false, stick to the default value of true.</P> Tue, 13 Nov 2012 08:15:22 GMT https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31029#M5453 martin_mueller 2012-11-13T08:15:22Z https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31030#M5454 <P>That did the knack.. Thank you soo much..</P> Tue, 13 Nov 2012 17:46:04 GMT https://community.splunk.com/t5/Getting-Data-In/Line-breaker-to-break-the-events/m-p/31030#M5454 raju_dara 2012-11-13T17:46:04Z