https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355210#M64946 <P>Thanks @somesoni2.<BR /> It worked but the end of the event is looking as &lt; instead of </P> <P><I>PDT Socket Created</I><B>642949672951</B>&lt;</P> Fri, 28 Apr 2017 19:20:53 GMT chintan_shah 2017-04-28T19:20:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355205#M64941 <P>Hi, <BR /> i am trying to break the event which we receive from our hand held devices into separate events but its not working properly.<BR /> The logs doesn't have any LINE BREAKER and i am using /msg&gt; as delimiter but its not working.<BR /> Can some one help me in breaking this event?</P> <P>Sample Logs:</P> Fri, 28 Apr 2017 16:21:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355205#M64941 chintan_shah 2017-04-28T16:21:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355206#M64942 <P>You're missing sample logs here.</P> Fri, 28 Apr 2017 16:39:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355206#M64942 somesoni2 2017-04-28T16:39:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355207#M64943 <P>Hi<BR /> Please find the sample log<BR /> <I>PDT Socket Created</I><B>2214294967295</B><I>Extracted PDT Request</I></P> Fri, 28 Apr 2017 18:38:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355207#M64943 chintan_shah 2017-04-28T18:38:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355208#M64944 <PRE><CODE>&lt;msg t='status' e='2' d='2017/04/28 14:31:28'&gt;&lt;s f='' h='CPDTSocket()'/&gt;&lt;i&gt;PDT Socket Created&lt;/i&gt;&lt;b&gt;&lt;z&gt;&lt;v n='PDTSocket ID'&gt;221&lt;/v&gt;&lt;/z&gt;&lt;z&gt;&lt;v n='Socket Handle'&gt;4294967295&lt;/v&gt;&lt;/z&gt;&lt;/b&gt;&lt;/msg&gt;&lt;msg t='status' e='2' d='2017/04/28 14:31:28'&gt;&lt;s f='' h='FetchRequest()'/&gt;&lt;i&gt;Extracted PDT Request&lt;/i&gt;&lt;/msg&gt; </CODE></PRE> Fri, 28 Apr 2017 18:41:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355208#M64944 chintan_shah 2017-04-28T18:41:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355209#M64945 <P>Try this for your line breaking configuration</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=(\/msg\&gt;)*(?=\&lt;msg) TIME_PREFIX=d=' TIME_FORMAT=%Y/%m/%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=19 </CODE></PRE> Fri, 28 Apr 2017 18:50:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355209#M64945 somesoni2 2017-04-28T18:50:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355210#M64946 <P>Thanks @somesoni2.<BR /> It worked but the end of the event is looking as &lt; instead of </P> <P><I>PDT Socket Created</I><B>642949672951</B>&lt;</P> Fri, 28 Apr 2017 19:20:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355210#M64946 chintan_shah 2017-04-28T19:20:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355211#M64947 <PRE><CODE>&lt;msg t='status' e='2' d='2017/03/30 09:41:05'&gt;&lt;s f='' h='CPDTSocket()'/&gt;&lt;i&gt;PDT Socket Created&lt;/i&gt;&lt;b&gt;&lt;z&gt;&lt;v n='PDTSocket ID'&gt;6&lt;/v&gt;&lt;/z&gt;&lt;z&gt;&lt;v n='Socket Handle'&gt;4294967295&lt;/v&gt;&lt;/z&gt;&lt;z&gt;&lt;v n='(logs removed)'&gt;1&lt;/v&gt;&lt;/z&gt;&lt;/b&gt;&lt; </CODE></PRE> Fri, 28 Apr 2017 19:21:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355211#M64947 chintan_shah 2017-04-28T19:21:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355212#M64948 <P>It's actually removing string in first brackets in LINE_BREAKER. If you need that you can use below,</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=(\&lt;msg) TIME_PREFIX=d=' TIME_FORMAT=%Y/%m/%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=19 SEDCMD-addheader = s/^(.+)/&lt;msg \1/ </CODE></PRE> Fri, 28 Apr 2017 19:25:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355212#M64948 somesoni2 2017-04-28T19:25:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355213#M64949 <P>Thanks Somesoni2. It worked.</P> Fri, 28 Apr 2017 20:25:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-break-my-events/m-p/355213#M64949 chintan_shah 2017-04-28T20:25:39Z