https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363813#M66269 <P>I will need to schedule the restart of splunkd. I will let you know how it goes!</P> Fri, 05 Jan 2018 19:30:37 GMT Branden 2018-01-05T19:30:37Z https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363808#M66264 <P>I have a log file of properly formatted JSON events, but the event break is not working properly. Sometimes it separates the JSON into separate events, sometimes it does not. There doesn't seem to be any rhyme or reason to this. </P> <P>I tried the solution here: <A href="https://answers.splunk.com/answers/80741/event-break-json.html">https://answers.splunk.com/answers/80741/event-break-json.html</A> but it did not work. I am unable to restart Splunk at this time, however, but my understanding is that I shouldn't need to. (Please correct me if I'm wrong.)</P> <P>Here's my props.conf entry:</P> <PRE><CODE>[s-web] KV_MODE = json LINE_BREAKER = "(^){" NO_BINARY_CHECK = 1 TRUNCATE = 0 SHOULD_LINEMERGE = false </CODE></PRE> <P>Here's a sample event:</P> <PRE><CODE>{"pid":17156,"hostname":"sub.hostname.com","name":"s-undefined","level":30,"time":1515143225539,"remoteAddr":"::ffff:99.99.99.99","remoteAddrs":[],"method":"GET","url":"/","sessionId":"abcd2b32-00e8-4e0b-97f6-23abcdef3233e","v":1} </CODE></PRE> <P>Am I missing something here? </P> <P>Thank you in advance for your assistance!</P> Fri, 05 Jan 2018 16:13:29 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363808#M66264 Branden 2018-01-05T16:13:29Z https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363809#M66265 <P>Try with this (keep the rest of the settings)</P> <PRE><CODE> LINE_BREAKER = ([\r\n]+)(?=\{\s*\"pid\") </CODE></PRE> Fri, 05 Jan 2018 16:18:00 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363809#M66265 somesoni2 2018-01-05T16:18:00Z https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363810#M66266 <P>Unfortunately, that did not help. <BR /> Is it possible I simply need to restart Splunk after making the props.conf change? </P> Fri, 05 Jan 2018 16:22:38 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363810#M66266 Branden 2018-01-05T16:22:38Z https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363811#M66267 <P>Yes.. you do need a restart for that change to take effect.</P> Fri, 05 Jan 2018 16:29:08 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363811#M66267 somesoni2 2018-01-05T16:29:08Z https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363812#M66268 <P>hey @Branden</P> <P>If you just care about breaking the event correctly then you could use the following</P> <PRE><CODE>[s-web] BREAK_ONLY_BEFORE = \{\"pid\" </CODE></PRE> <P>and thereafter restart <CODE>splunkd</CODE><BR /> Let me know if this helps you!</P> Fri, 05 Jan 2018 16:42:12 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363812#M66268 mayurr98 2018-01-05T16:42:12Z https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363813#M66269 <P>I will need to schedule the restart of splunkd. I will let you know how it goes!</P> Fri, 05 Jan 2018 19:30:37 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-event-breaks-not-working-sometimes/m-p/363813#M66269 Branden 2018-01-05T19:30:37Z