https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431874#M75594 <P>hey guys, sorry for making my comment an answer. For some reason, it won't allow me to make comments, only answers.... ???<BR /> When I click on "comment" it drops down to the main answers section.</P> Thu, 31 May 2018 14:23:55 GMT dpetracca_splun 2018-05-31T14:23:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431866#M75586 <P>Hi Team,</P> <P>We have ingested the NSG flow logs from azure and few events are not breaking the events properly, could you please help me to write the LINE_BREAKER rule for below events.</P> <P>Sample events:</P> <PRE><CODE>"time":"2018-05-30T16:07:43.6682050Z","systemId":"","category":"NetworkSecurityGroupFlowEvent","12000,T,O,A"]}]}]}{"time":"2018-05-30T16:06:43.6499999Z","systemId":"","category":"NetworkSecurityGroupFlowEvent","resourceId":"/,T,O,A"]}]}]}{"time":"2018-05-30T16:06:43.6499999Z","systemId":"","category":"NetworkSecurityGroupFlowEvent","resourceId":"/,T,O,A"]}]}]} </CODE></PRE> <P>LINE_BREAKER=?</P> Wed, 30 May 2018 16:34:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431866#M75586 lksridhar 2018-05-30T16:34:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431867#M75587 <P>@lksridhar, can you try with this?</P> <PRE><CODE>LINE_BREAKER=(]}]}]}) TIME_PREFIX="time": MAX_TIMESTAMP_LOOKAHEAD=29 </CODE></PRE> Wed, 30 May 2018 17:24:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431867#M75587 niketn 2018-05-30T17:24:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431868#M75588 <P>Are you missing a curly bracket in the line 1??</P> Wed, 30 May 2018 21:53:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431868#M75588 somesoni2 2018-05-30T21:53:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431869#M75589 <P>I came to same conclusion as <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201110">@niketn</a><BR /> I tested it out and here is the props.conf that works:</P> <P>[test_line_break]<BR /> DATETIME_CONFIG = <BR /> LINE_BREAKER = (]}]}]})<BR /> MAX_TIMESTAMP_LOOKAHEAD = 27<BR /> NO_BINARY_CHECK = true<BR /> TIME_PREFIX = time<BR /> category = Custom<BR /> disabled = false<BR /> pulldown_type = true</P> Tue, 29 Sep 2020 19:44:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431869#M75589 dpetracca_splun 2020-09-29T19:44:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431870#M75590 <P>@dpetracca I had <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> as 29 to extract even the timezone. Are you planning to apply TIMESTAMP_FORMAT <CODE>%6N</CODE> and stop Timestamp extraction?</P> Thu, 31 May 2018 05:29:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431870#M75590 niketn 2018-05-31T05:29:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431871#M75591 <P>@niketnilay, no your 29 is correct, I wasn't looking at timezone. Was more focused on the line break actually. </P> Thu, 31 May 2018 12:57:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431871#M75591 dpetracca_splun 2018-05-31T12:57:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431872#M75592 <P>Thanks nikentilay and dpetracca for your input. i tried nikentilay command it is working for me.</P> <P>LINE_BREAKER=(]}]}]})<BR /> TIME_PREFIX="time":<BR /> MAX_TIMESTAMP_LOOKAHEAD=29</P> <P>Thanks for helping to fix the issue.</P> Tue, 29 Sep 2020 19:44:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431872#M75592 lksridhar 2020-09-29T19:44:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431873#M75593 <P>@lksridhar, great to hear that your issue is resolved. I have converted my comment to answer. Please accept to mark this question as answered!</P> Thu, 31 May 2018 14:05:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431873#M75593 niketn 2018-05-31T14:05:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431874#M75594 <P>hey guys, sorry for making my comment an answer. For some reason, it won't allow me to make comments, only answers.... ???<BR /> When I click on "comment" it drops down to the main answers section.</P> Thu, 31 May 2018 14:23:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-write-Linebreaker-rule-for-the-below-events/m-p/431874#M75594 dpetracca_splun 2018-05-31T14:23:55Z