https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406964#M72191 <P>The LINE_BREAKER will not function unless you give it a <CODE>capture group</CODE> (there is probably an error in your error log if you search for it with something like <CODE>index=_* sourcetype=splunkd LINE_BREAKER capture</CODE>). Everything in the <CODE>capture group</CODE> will be discarded. The <CODE>capture group</CODE> may be empty, but it <EM>MUST</EM> exist. Try this:</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = {"agent() </CODE></PRE> Tue, 29 Sep 2020 22:48:45 GMT woodcock 2020-09-29T22:48:45Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406962#M72189 <P>I have a json blob, lets ignore the fact it is json for now. I simply want to force Splunk to break a single blob on a word. </P> <P>Where the string {"agent" exists multiple times, these are the the only settings I have set in props for the sourcetype.</P> <P>SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = {"agent</P> <P>This should break, but it is not. Why is Splunk refusing to break this event? Again, I know this is json, but I want to understand LINE_BREAKER, as I have read about 3 novels on its use, and it repeatedly fails when implemented.</P> Tue, 29 Sep 2020 22:47:09 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406962#M72189 Cuyose 2020-09-29T22:47:09Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406963#M72190 <P>The <CODE>LINE_BREAKER</CODE> attribute <EM>must</EM> contain a capture group. Be warned the contents of the capture group will be discarded so choose it carefully. It's perfectly legitimate to have an empty capture group as in <CODE>LINE_BREAKER = (){"agent</CODE>.</P> Wed, 16 Jan 2019 18:17:48 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406963#M72190 richgalloway 2019-01-16T18:17:48Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406964#M72191 <P>The LINE_BREAKER will not function unless you give it a <CODE>capture group</CODE> (there is probably an error in your error log if you search for it with something like <CODE>index=_* sourcetype=splunkd LINE_BREAKER capture</CODE>). Everything in the <CODE>capture group</CODE> will be discarded. The <CODE>capture group</CODE> may be empty, but it <EM>MUST</EM> exist. Try this:</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = {"agent() </CODE></PRE> Tue, 29 Sep 2020 22:48:45 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406964#M72191 woodcock 2020-09-29T22:48:45Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406965#M72192 <P>Thanks, I was making it more complicated in my head. </P> Wed, 16 Jan 2019 18:47:24 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406965#M72192 Cuyose 2019-01-16T18:47:24Z https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406966#M72193 <P>Missed it by &gt;that&lt; much.</P> Wed, 16 Jan 2019 19:23:03 GMT https://community.splunk.com/t5/Getting-Data-In/LINE-BREAKER-not-working-with-most-basic-settings/m-p/406966#M72193 woodcock 2019-01-16T19:23:03Z