topic Re: How to split multiple lines of data into a single individual line in splunk? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-split-multiple-lines-of-data-into-a-single-individual/m-p/397483#M70862 <P>Hi All, </P> <P>Got how to split the multiple event in to single individual event using the Line_Breaker stanza in props.conf </P> <PRE><CODE> [who] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT [lastlog] ## Override system/default lastlog sourcetype invalidation invalid_cause = SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT </CODE></PRE> Wed, 20 Jun 2018 14:53:00 GMT Hemnaath 2018-06-20T14:53:00Z How to split multiple lines of data into a single individual line in splunk? https://community.splunk.com/t5/Getting-Data-In/How-to-split-multiple-lines-of-data-into-a-single-individual/m-p/397482#M70861 <P>Hi All, We are monitoring the wtmpx data from the Unix machines via splunk using the Splunk add-on for Unix, based on this add-on we could see the data from the wtmpx file in splunk, but currently we could see the data ingesting from the wtmpx file into splunk with multiple line like shown below.</P> <PRE><CODE> 6/20/18 6:26:03.000 AM USERNAME LINE HOSTNAME TIME HXXX019 pts/1 w442xty1.XXXX.com Jun 19 18:40 Hxxx007 pts/5 yb33gnn1.XXXX.com Jun 19 08:53 6/20/18 6:23:33.000 AM USERNAME LINE HOSTNAME TIME HXXX019 pts/1 w442xty1.XXXX.com Jun 19 18:40 HXXX007 pts/5 yb33gnn1.XXXX.com Jun 19 08:53 </CODE></PRE> <P>But instead of multiple line we want to have it as single event like this </P> <PRE><CODE>USERNAME LINE HOSTNAME TIME HXXX019 pts/1 w442xty1.XXXX.com Jun 19 18:40 USERNAME LINE HOSTNAME TIME HXXX007 pts/5 yb33gnn1.XXXX.com Jun 19 08:53 </CODE></PRE> <P>And also if there is no content in the log then it should be removed from splunk. <BR /> example: </P> <PRE><CODE> USERNAME LINE HOSTNAME TIME host=r3crp00 source=who sourcetype=who </CODE></PRE> <P>Props.conf details for the sourcetype=who </P> <PRE><CODE>[who] SHOULD_LINEMERGE=false LINE_BREAKER=^()$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT </CODE></PRE> <P>sourcetype=lastlog</P> <PRE><CODE>[lastlog] ## Override system/default lastlog sourcetype invalidation invalid_cause = SHOULD_LINEMERGE=false LINE_BREAKER=^()$ TRUNCATE=1000000 DATETIME_CONFIG = CURRENT </CODE></PRE> <P>Kindly guide me how to configure this in the props.conf file.</P> <P>thanks in advance.</P> Wed, 20 Jun 2018 12:33:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-multiple-lines-of-data-into-a-single-individual/m-p/397482#M70861 Hemnaath 2018-06-20T12:33:30Z Re: How to split multiple lines of data into a single individual line in splunk? https://community.splunk.com/t5/Getting-Data-In/How-to-split-multiple-lines-of-data-into-a-single-individual/m-p/397483#M70862 <P>Hi All, </P> <P>Got how to split the multiple event in to single individual event using the Line_Breaker stanza in props.conf </P> <PRE><CODE> [who] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT [lastlog] ## Override system/default lastlog sourcetype invalidation invalid_cause = SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT </CODE></PRE> Wed, 20 Jun 2018 14:53:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-split-multiple-lines-of-data-into-a-single-individual/m-p/397483#M70862 Hemnaath 2018-06-20T14:53:00Z