https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425735#M74618 <P>I added to my props.conf and did not see a change in behavior. I'm still seeing the same - one of the .txt files has been split to 10 events where each line is its own event; while 2 other .txt files are still being returned as a multi-line event. </P> <P>As I understand Splunk, changes in line breaking are applied at search time, correct? </P> <P>Could there be an issue in how the .txt file is formatted?<BR /> I'm generally aware that there are some quirks with how Notepad.exe handles new lines (as evidenced by trying to modify any Splunk app in Notepad - there are never any linebreaks). Because of that I use another tool that handles the new lines appropriately - are there any tools (e.g. notepad++) that could identify what type of new line is present in my .txt file?</P> Fri, 08 Mar 2019 13:01:31 GMT danielansell 2019-03-08T13:01:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425730#M74613 <P>Everytime a CD is burned with Roxio SecureBurn, a txt file log of the cd is created. The format of the .txt log file is:</P> <P>Date: Thu Mar 7 13:47:00 2019<BR /> Computer Name: ComputerName01<BR /> User Name: domain.accountname</P> <H1>Project includes 1 folder(s) and 2 file(s)</H1> <P>C:\Users\accountname\Desktop\TransferFolder\file1.txt e69f78a887b(rest of file hash)a35 3764543bytes 2019/3/7 08:13:15<BR /> C:\Users\accountname\Desktop\TransferFolder\file2.txt e69f78a887b(rest of file hash)a35 7764543bytes 2019/3/7 08:13:18<BR /> END OF FILE</P> <P>My props.conf for the sourcetype I created includes:<BR /> SHOULD_LINEMERGE = false</P> <P>Linebreaking is occurring inconsistently. Some of my events show up where each line is its own event, others include every bit of data in the .txt file as its own event. Any ideas - perhaps a more bulletproof way to force a break? Do Windows .txt files normally have inconsistancies with a carriage return or line breaking?</P> Thu, 07 Mar 2019 19:45:02 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425730#M74613 danielansell 2019-03-07T19:45:02Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425731#M74614 <P>Forgive my ignorance - does each burn job result in a new file, or all all the job logs written into the same log?</P> Fri, 08 Mar 2019 11:49:06 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425731#M74614 nickhills 2019-03-08T11:49:06Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425732#M74615 <P>When you set <CODE>SHOULD_LINEMERGE = false</CODE> you also need to specify a linebreaker. And while you're at it, it is always good to specify time format config explicitly as well.</P> <P>So, try adding this to your props.conf:</P> <PRE><CODE>LINE_BREAKER = ([\r\n]*)Date:\s+\w+\s+\w+\s+\d+ TIME_PREFIX = Date:\s+ MAX_TIMESTAMP_LOOKAHEAD = 25 TIME_FORMAT = %a %b %e %H:%M:%S %Y </CODE></PRE> Fri, 08 Mar 2019 12:25:56 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425732#M74615 FrankVl 2019-03-08T12:25:56Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425733#M74616 <P>Each job results in a new file. As such, I intend to use the source field as a means to provide meaningful data (using either a transaction, or "by" to group data). </P> Fri, 08 Mar 2019 12:37:44 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425733#M74616 danielansell 2019-03-08T12:37:44Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425734#M74617 <P>The ultimate goal is actually to extract data from each file burned to CD. When each .txt file is returned as a single event, I tried to extract data though using the rex command. The first result is stored in my "FileSize" field, but it does not continue on to the remaining lines. </P> <P>So alternatively, if there is a more appropriate way to populate a FileSize, FileName, etc. field from each line, without breaking the event into single line events, that would be great as well. </P> Fri, 08 Mar 2019 12:48:42 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425734#M74617 danielansell 2019-03-08T12:48:42Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425735#M74618 <P>I added to my props.conf and did not see a change in behavior. I'm still seeing the same - one of the .txt files has been split to 10 events where each line is its own event; while 2 other .txt files are still being returned as a multi-line event. </P> <P>As I understand Splunk, changes in line breaking are applied at search time, correct? </P> <P>Could there be an issue in how the .txt file is formatted?<BR /> I'm generally aware that there are some quirks with how Notepad.exe handles new lines (as evidenced by trying to modify any Splunk app in Notepad - there are never any linebreaks). Because of that I use another tool that handles the new lines appropriately - are there any tools (e.g. notepad++) that could identify what type of new line is present in my .txt file?</P> Fri, 08 Mar 2019 13:01:31 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425735#M74618 danielansell 2019-03-08T13:01:31Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425736#M74619 <P>That sounds like a matter of setting <CODE>max_matches=0</CODE> in your rex command. By default the rex command stops after finding 1 match.</P> Fri, 08 Mar 2019 13:03:15 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425736#M74619 FrankVl 2019-03-08T13:03:15Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425737#M74620 <P>I typically use rex to test my extractions before building my field extractions in my props.conf. <BR /> Will a field extraction defined in a props.conf return multiple values - should a max_matches=0 be added to my props.conf?</P> <P>If so, will I be able to perform stats functions on the multivalued field? For example, if I were to define a FileSize field in my props.conf as an extraction, and I'd like to return a total size for the burn job, would I be able to do the following:<BR /> ...search... |eval DiscSize=sum(FileSize) by source</P> Fri, 08 Mar 2019 13:15:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425737#M74620 danielansell 2019-03-08T13:15:24Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425738#M74621 <P>You can use a REPORT extraction and configure the corresponding transforms.conf settings with <CODE>MV_ADD=true</CODE>.</P> <P>Yes, something like that would work. Although the correct syntax would be: <CODE>| stats sum(FileSize) by source</CODE> not eval <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>But it might also be valid to split this into single line events upon indexing, as multi valued fields can be a bit difficult to work with sometimes. But then you will have to find a way of dealing with those header lines of the file (if at all interesting).</P> Fri, 08 Mar 2019 13:34:08 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425738#M74621 FrankVl 2019-03-08T13:34:08Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425739#M74622 <P>Linebreaking happens at indextime. So to see the changes take effect, you need to restart and ingest fresh sample files.</P> Fri, 08 Mar 2019 13:34:41 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425739#M74622 FrankVl 2019-03-08T13:34:41Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425740#M74623 <P>That's my problem. I was expecting the props config to be interpreted at search time. The event I have that is broken up correctly was indexed after my props change. I didn't put two and two together with that. </P> <P>I think I'll re-index the data and see if that serves my needs. </P> <P>Thanks for the help - to include up above with the stats versus eval. </P> Fri, 08 Mar 2019 16:18:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425740#M74623 danielansell 2019-03-08T16:18:32Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425741#M74624 <P>Were you able to extract the file names and sizes from these logs, if so would you be willing to share?</P> Fri, 17 Jan 2020 21:59:16 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425741#M74624 mfw113 2020-01-17T21:59:16Z https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425742#M74625 <P>For file details, my extraction looks like this:</P> <PRE><CODE>(?P&lt;FileName&gt;.+)\s(?P&lt;FileHash&gt;[0-9a-fA-F]{40})\s+(?P&lt;FileSize&gt;\d+)bytes\s+(?P&lt;FileModDate&gt;\d{4}\/\d+\/\d+\s\d+:\d+:\d+ </CODE></PRE> Tue, 21 Jan 2020 21:38:06 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-line-breaking-inconsistent-File-Monitoring-Roxio/m-p/425742#M74625 danielansell 2020-01-21T21:38:06Z