https://community.splunk.com/t5/Getting-Data-In/Why-is-the-multi-line-event-breaking-working-inconsistently/m-p/313343#M58731 <P>What is your props setting now exactly? <BR /> What happens when you try this:</P> <P>[webadm]<BR /> SHOULD_LINEMERGE=true<BR /> NO_BINARY_CHECK=true<BR /> CHARSET=AUTO<BR /> MAX_TIMESTAMP_LOOKAHEAD=19<BR /> disabled=false<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S<BR /> TIME_PREFIX=[</P> <P>Also try if adding BREAK_ONLY_BEFORE=[\d{4}-\d\d?-\d\d?\s\d\d?:\d\d?:\d\d?] helps</P> Tue, 29 Sep 2020 18:56:09 GMT Azeemering 2020-09-29T18:56:09Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-multi-line-event-breaking-working-inconsistently/m-p/313342#M58730 <P>I'm trying to successfully ingest WebADM logs, a one-time password solution. The logs are... a mess. But the line breaking should be pretty straightforward, but the results are inconsistent.</P> <P>This is what a successful login message looks like:</P> <PRE><CODE>[2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|New openotpSimpleLogin SOAP request|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|&gt; Username: admin|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|&gt; Domain: r1|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|&gt; Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|&gt; Client ID: LDAP|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|&gt; Settings: ChallengeMode=No|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|&gt; Options: -U2F|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Registered openotpSimpleLogin request|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Resolved LDAP user: cn=admin,ou=special,o=r1 (cached)|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Started transaction lock for user|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Found 37 user settings: LoginMode=LDAP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,ChallengeLock=No,ChallengeFake=No,TrustedContext=No,MobileTimeout=30,EnableLogin=Yes,TmpKeys=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID,ReplyDataURL=http://webadm:4000/radius_authorization/authorize?client=10.10.5.20,http://webadm05:4000/radius_authorization/authorize?client=10.10.5.20,http://webadm04:4000/radius_authorization/authorize?client=10.10.5.20,http://webadm02:4000/radius_authorization/authorize?client=10.10.5.20,http://webadm-03301.node.ad3.r1:3000/radius_authorization/authorize?client=10.10.5.20,http://webadm03:4000/radius_authorization/authorize?client=10.10.5.20|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Found 1 request settings: ChallengeMode=No|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Found 2 user data: LoginCount,RejectCount|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Requested login factors: LDAP|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|LDAP password Ok|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Updated user data|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 [2018-04-04 17:17:09] [10.10.10.10] CEF|0|RCDevs|WebADM|1.6.1-1|OpenOTP|Sent success response|1|sid=BKQSK2FC src=10.10.10.10 dst=10.10.10.10 </CODE></PRE> <P>For a failure message, the last line says "Sent failure response" instead.</P> <P>I would think something like this should work:</P> <PRE><CODE>[webadm] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = New openotpSimpleLogin SOAP request MUST_BREAK_AFTER = Sent failure response|Sent success response </CODE></PRE> <P>I've tried using only the "BREAK_ONLY_BEFORE" logic. I've tried including the TIME_FORMAT since I've read that can resolve some line breaking issues. I've tried replacing the spaces with "\s" regex.</P> <P>I'd say the line breaking works about 85% correctly, but the 15% that don't work don't seem to have anything particular in common, such as the host, the WebADM server used, the user name, etc.</P> <P>I feel like I'm taking crazy pills here. I cannot get Splunk to break these events consistently.</P> Tue, 29 Sep 2020 18:52:28 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-multi-line-event-breaking-working-inconsistently/m-p/313342#M58730 responsys_cm 2020-09-29T18:52:28Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-multi-line-event-breaking-working-inconsistently/m-p/313343#M58731 <P>What is your props setting now exactly? <BR /> What happens when you try this:</P> <P>[webadm]<BR /> SHOULD_LINEMERGE=true<BR /> NO_BINARY_CHECK=true<BR /> CHARSET=AUTO<BR /> MAX_TIMESTAMP_LOOKAHEAD=19<BR /> disabled=false<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S<BR /> TIME_PREFIX=[</P> <P>Also try if adding BREAK_ONLY_BEFORE=[\d{4}-\d\d?-\d\d?\s\d\d?:\d\d?:\d\d?] helps</P> Tue, 29 Sep 2020 18:56:09 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-multi-line-event-breaking-working-inconsistently/m-p/313343#M58731 Azeemering 2020-09-29T18:56:09Z