topic Re: Need to stop the events being Split in Getting Data In

Need to stop the events being Split

ashrafshareeb — Thu, 24 Jan 2019 12:57:21 GMT

Hi All,

I have a scenario where the events should not be split, but after trying a lot of options it still seems to be not working. Its an health check log,

Sample data

Relay is RUNNING - PID 123123
deal publisher is RUNNING - PID 80345
C ADAPTER is RUNNING - PID 99342
M ADAPTER is RUNNING - PID 662521
SMA is RUNNING - PID 12321321

I just want all them to be an single event, but it keeps on splitting in different ways.

In props.config,
[ehealth] TRUNCATE = 0 MAX_EVENTS = 5

I have tried SHOULD_LINEMERGE = true as well, but doesnt seems to be working. I just want no to break and all the 5 lines get indexed as a single event.

Thanks in advance.

Re: Need to stop the events being Split

dkeck — Tue, 29 Sep 2020 22:55:36 GMT

HI,

if you set SHOULD_LINEMERGE=true you need another option

refer to this:https://docs.splunk.com/Documentation/SplunkCloud/7.1.3/Data/Configureeventlinebreaking#Attributes_that_apply_only_when_the_SHOULD_LINEMERGE_setting_is_true

you could set BREAK_ONLY_BEFORE = ^Relay. If you know that your events always start like this

Tested it in splunk data upload, and I actually have the problem that splunk is not splitting the events until "BREAK_ONLY_BEFORE = ^Relay" is set. Not that some other conf is messing with your settings.

Re: Need to stop the events being Split

ashrafshareeb — Thu, 24 Jan 2019 14:28:33 GMT

Hi dkeck,

Thanks for the response.

I have tried the below props.conf and still its not working, the events are getting split differently each time.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^Relay

The events start with Relay as shown in the sample, I have tried adding TRUNCATE=0 and MAX_EVENTS = 5 along with the above configs but doesn't make any difference

Re: Need to stop the events being Split

dkeck — Thu, 24 Jan 2019 15:05:49 GMT

Did you restart after you changed props?

Re: Need to stop the events being Split

ashrafshareeb — Fri, 25 Jan 2019 16:24:27 GMT

Apologies for late reply, I have restarted after the props.conf changes still no luck.

Re: Need to stop the events being Split

woodcock — Fri, 25 Jan 2019 16:41:59 GMT

Use this:

[ehealth]
LINE_BREAKER = (?!)
SHOULD_LINEMERGE = false

Re: Need to stop the events being Split

ashrafshareeb — Sat, 26 Jan 2019 19:06:57 GMT

It has split all the 5 lines to single events. I want all the 5 lines to be a single event and not split at all

Re: Need to stop the events being Split

woodcock — Sat, 26 Jan 2019 21:47:43 GMT

I am quite certain that this configuration will work. It is highly likely that problem is not in the configuration settings but in your delpoyment or testing approach. Answer these questions.
1: Are you overriding/resetting/modifying the sourcetype using a setting in transforms.conf and if so, are you using the original sourcetype or the modified one (you MUST use the original one)?
2: Have you deployed this props.conf file to the FIRST FULL INSTANCE of splunk (e.g. HF/IF or Indexers)?
3: Have you restarted all Splunk instances on those nodes?
4: Are you using _index_earliest=-5m in your search SPL when you test to make sure that you are only looking at newly-indexed events?

Re: Need to stop the events being Split

ashrafshareeb — Mon, 28 Jan 2019 11:23:52 GMT

It's a distributed setup with 2 SH and 4 IDX
1. No transforms.conf
2. I have deployed it in the indexers through the deployment server
3. Yes, I have restarted all the splunk instances
4. I'm using last 15 min in the search time range picker.

Re: Need to stop the events being Split

woodcock — Mon, 28 Jan 2019 18:28:54 GMT

#4 is totally inadequate. You should use All time and _index_earliest=-5m. Most people do not have their events timestamped correctly.

Re: Need to stop the events being Split

ashrafshareeb — Tue, 29 Jan 2019 11:32:12 GMT

I have tried with All time and _index_earliest=-5m but still the same result. 5 lines in the above sample is getting split into 5 different events (with same time stamp). All those 5 lines should be a single event and not split at all

Re: Need to stop the events being Split

woodcock — Tue, 29 Jan 2019 16:30:00 GMT

Are you doing a sourcetype override? If so, you need to use the original sourcetype value, not the new ehealth value.

Re: Need to stop the events being Split

ashrafshareeb — Tue, 29 Sep 2020 23:19:27 GMT

just an update on this issue(just in case anyone has the same issue) the events were being written in the log file with a delay, by default the time_before_close is 3 seconds. I had to change this to 5 seconds and also also set the multiline_event_extra_waittime=true in inputs.conf

time_before_close = 5
multiline_event_extra_waittime = true

From Splunk documentation on these parameters,
time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past
seconds.
* Defaults to 3.

multiline_event_extra_waittime = [true|false]
*By default, Splunk Enterprise sends an event delimiter when (1) it reaches EOF of a file it monitors and (2) the last char it reads is a newline.
*In some cases, it takes time for all lines of a multiple-line event to arrive.
*Set to true to delay sending an event delimiter until the time that Splunk Enterprise closes the file, as defined by the time_before_close attribute, to allow all event lines to arrive.
*Default to false.