https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356348#M65077 <P>I would give this a try. Also ensure that you kept this config in right place (Indexer/heavy forwarder whichever comes first in flow)</P> <PRE><CODE>[SOURCETYPE_NAME] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=\s*\{\s*\"timestam_ns\") TIME_FORMAT = %s%9N TIME_PREFIX = ^\s*\{\s*\"timestam_ns\" MAX_TIMESTAMP_LOOKAHEAD = 20 </CODE></PRE> Fri, 16 Jun 2017 16:36:52 GMT somesoni2 2017-06-16T16:36:52Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356347#M65076 <P>Hi, I've reviewed almost all the question about event line breaking but still have some inconsistency with data ingesting to my Splunk Enterprise. Is there any sort of debugging/logging system for data input and the method which Splunk use to handle multiline events. My data looks like this:</P> <BLOCKQUOTE> <P>{"timestamp_ns":1497623896051426216,"timestamp":1497623896,"measurements":{"response_send_time_us":147,"walltime_us":1003,"xxxxx_walltime_us":493,"xxxxx_walltime_us":510,"xxxxx_time_us":159,"xxxxx_time_us":120,"xxxxx_time_us":82},"application":"xxxxx","type":"xxxxx_query_request","metadata":{"request_type":2,"xx_id":1,"request_timestamp_ns":1497623896050422653,"request_id":"1234567890123456789"}}<BR /> {"timestamp_ns":1497623896051426216,"timestamp":1497623896,"measurements":{"response_send_time_us":147,"walltime_us":1003,"xxxxx_walltime_us":493,"xxxxx_walltime_us":510,"xxxxx_time_us":159,"xxxxx_time_us":120,"xxxxx_time_us":82},"application":"xxxxx","type":"xxxxx_query_request","metadata":{"request_type":2,"xx_id":1,"request_timestamp_ns":1497623896050422653,"request_id":"1234567890123456789"}}<BR /> {"timestamp_ns":1497623896051426216,"timestamp":1497623896,"measurements":{"response_send_time_us":147,"walltime_us":1003,"xxxxx_walltime_us":493,"xxxxx_walltime_us":510,"xxxxx_time_us":159,"xxxxx_time_us":120,"xxxxx_time_us":82},"application":"xxxxx","type":"xxxxx_query_request","metadata":{"request_type":2,"xx_id":1,"request_timestamp_ns":1497623896050422653,"request_id":"1234567890123456789"}}<BR /> {"timestamp_ns":1497623896051426216,"timestamp":1497623896,"measurements":{"response_send_time_us":147,"walltime_us":1003,"xxxxx_walltime_us":493,"xxxxx_walltime_us":510,"xxxxx_time_us":159,"xxxxx_time_us":120,"xxxxx_time_us":82},"application":"xxxxx","type":"xxxxx_query_request","metadata":{"request_type":2,"xx_id":1,"request_timestamp_ns":1497623896050422653,"request_id":"1234567890123456789"}}<BR /> Here's what I've tried in props.conf:</P> <P>[SOURCETYPE_NAME]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 20<BR /> SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = ([\r\n]+){\"timestam_ns\"<BR /> TIME_FORMAT = %s%9N<BR /> TIME_PREFIX = "timestamp_ns":<BR /> For <CODE>SHOULD_LINEMERGE = false</CODE>, I've tried other <CODE>LINE_BREAKER</CODE> as well, like <CODE>^\{</CODE>, <CODE>([\r\n]+)\{</CODE>, etc but no luck.</P> </BLOCKQUOTE> <PRE><CODE>[SOURCETYPE_NAME] MAX_TIMESTAMP_LOOKAHEAD = 20 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^\{ TIME_FORMAT = %s%9N TIME_PREFIX = "timestamp_ns": </CODE></PRE> <P>Just for your information, I've tried manual <EM>Add Data</EM> feature and both configs works fine there. And I'm testing these stuff on a Splunk Developer Personal License before applying the changes against the actual Enterprise version.</P> Tue, 29 Sep 2020 14:31:10 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356347#M65076 msichani 2020-09-29T14:31:10Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356348#M65077 <P>I would give this a try. Also ensure that you kept this config in right place (Indexer/heavy forwarder whichever comes first in flow)</P> <PRE><CODE>[SOURCETYPE_NAME] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=\s*\{\s*\"timestam_ns\") TIME_FORMAT = %s%9N TIME_PREFIX = ^\s*\{\s*\"timestam_ns\" MAX_TIMESTAMP_LOOKAHEAD = 20 </CODE></PRE> Fri, 16 Jun 2017 16:36:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356348#M65077 somesoni2 2017-06-16T16:36:52Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356349#M65078 <P>Hi msichani, </P> <P>try the following stanza</P> <PRE><CODE>[SOURCETYPE_NAME] MAX_TIMESTAMP_LOOKAHEAD = 20 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = \{\"timestamp\_ns\" TIME_FORMAT = %s%9N TIME_PREFIX = "timestamp_ns": </CODE></PRE> Fri, 16 Jun 2017 16:43:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356349#M65078 horsefez 2017-06-16T16:43:39Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356350#M65079 <P>I think the trick was the right place, it was going through heavy forwarder, Added <CODE>_TCP_ROUTING</CODE> and it looks fine now. Thanks for the hint @somesoni2</P> Fri, 16 Jun 2017 18:09:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356350#M65079 msichani 2017-06-16T18:09:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356351#M65080 <P>The problem was with HF in between, your stanaza should definitely work as well but with proper routing. Thanks anyway.</P> Fri, 16 Jun 2017 18:10:53 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Event-line-breaking-not-working-properly/m-p/356351#M65080 msichani 2017-06-16T18:10:53Z