https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472423#M81186 <P>Hello Splunk community! I have a monitored input file. A process writes a header to a continuous log file and about a minute or so later results are appended to the log. Because the lag between the header and the results is so great, Splunk is seeing this as two separate events, where in fact it should be one multi-line event (header &amp; results). I've tried all sorts of line breaking options in props.conf but nothing seems to work. Does anyone out there have any suggestions? I can recreate it with a simple test script with a sleep, running through a while loop.</P> <P>echo "<CODE>date "+%F %T"</CODE> This is the header" &gt;&gt; $OUT <BR /> sleep 30<BR /> echo "Slept for 30 seconds" &gt;&gt; $OUT<BR /> echo "DONE" &gt;&gt; $OUT</P> <P>SHOULD_LINEMERGE=true<BR /> CHARSET=UTF-8<BR /> MAX_TIMESTAMP_LOOKAHEAD=25<BR /> TIME_PREFIX=^<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S<BR /> BREAK_ONLY_BEFORE_DATE=true<BR /> NO_BINARY_CHECK=true</P> Wed, 30 Sep 2020 02:04:24 GMT shpot 2020-09-30T02:04:24Z https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472423#M81186 <P>Hello Splunk community! I have a monitored input file. A process writes a header to a continuous log file and about a minute or so later results are appended to the log. Because the lag between the header and the results is so great, Splunk is seeing this as two separate events, where in fact it should be one multi-line event (header &amp; results). I've tried all sorts of line breaking options in props.conf but nothing seems to work. Does anyone out there have any suggestions? I can recreate it with a simple test script with a sleep, running through a while loop.</P> <P>echo "<CODE>date "+%F %T"</CODE> This is the header" &gt;&gt; $OUT <BR /> sleep 30<BR /> echo "Slept for 30 seconds" &gt;&gt; $OUT<BR /> echo "DONE" &gt;&gt; $OUT</P> <P>SHOULD_LINEMERGE=true<BR /> CHARSET=UTF-8<BR /> MAX_TIMESTAMP_LOOKAHEAD=25<BR /> TIME_PREFIX=^<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S<BR /> BREAK_ONLY_BEFORE_DATE=true<BR /> NO_BINARY_CHECK=true</P> Wed, 30 Sep 2020 02:04:24 GMT https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472423#M81186 shpot 2020-09-30T02:04:24Z https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472424#M81187 <P>Did you try</P> <PRE><CODE>LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{2}\:\d{2}\:\d{2} </CODE></PRE> Thu, 05 Sep 2019 03:04:02 GMT https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472424#M81187 nareshinsvu 2019-09-05T03:04:02Z https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472425#M81188 <P>Thank you for your reply. It did not work.</P> Thu, 05 Sep 2019 03:18:12 GMT https://community.splunk.com/t5/Getting-Data-In/Multi-line-event-not-breaking/m-p/472425#M81188 shpot 2019-09-05T03:18:12Z