https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532329#M89497 <P>Hello fellow splunkers!</P><P>&nbsp;</P><P>atm I'm trying to break up a huge multiline event that is merged together with &amp;&amp;&amp;. When I try to explicitly tell Splunk to <STRONG>BREAK_ONLY_AFTER = &amp;&amp;&amp;</STRONG> it doesn't work. I also tried <STRONG>BREAK_ONLY_BEFORE = \d+.\d+.\d+.\d+\s-\s-</STRONG> and <STRONG>BREAK_ONLY_AFTER = \d{3}&amp;&amp;&amp;</STRONG></P><P>it seems that nothing I try works. please help</P><P>here is the source log:&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&amp;JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&amp;itemId=EST-16&amp;product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&amp;&amp;&amp;130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&amp;JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&amp;itemId=EST-12&amp;product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&amp;&amp;&amp;141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&amp;JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&amp;itemId=EST-20&amp;product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Dec 2020 13:37:27 GMT avoelk 2020-12-08T13:37:27Z https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532329#M89497 <P>Hello fellow splunkers!</P><P>&nbsp;</P><P>atm I'm trying to break up a huge multiline event that is merged together with &amp;&amp;&amp;. When I try to explicitly tell Splunk to <STRONG>BREAK_ONLY_AFTER = &amp;&amp;&amp;</STRONG> it doesn't work. I also tried <STRONG>BREAK_ONLY_BEFORE = \d+.\d+.\d+.\d+\s-\s-</STRONG> and <STRONG>BREAK_ONLY_AFTER = \d{3}&amp;&amp;&amp;</STRONG></P><P>it seems that nothing I try works. please help</P><P>here is the source log:&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&amp;JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&amp;itemId=EST-16&amp;product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&amp;&amp;&amp;130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&amp;JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&amp;itemId=EST-12&amp;product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&amp;&amp;&amp;141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&amp;JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&amp;itemId=EST-20&amp;product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Dec 2020 13:37:27 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532329#M89497 avoelk 2020-12-08T13:37:27Z https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532330#M89498 <P>It doesn't work because there is no setting called BREAK_ONLY_AFTER.&nbsp; There is BREAK_ONLY_BEFORE and MUST_BREAK_AFTER, however.&nbsp; It's more efficient, however, to use LINE_BREAKER.&nbsp; Try these props.conf settings.</P><LI-CODE lang="markup">[mysourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = (&amp;&amp;&amp;) TIME_PREFIX = \[ TIME_FORMAT = %d/%b/%Y %H:%M:%S:%3N MAX_TIMESTAMP_LOOKAHEAD = 23 TRUNCATE = 10000</LI-CODE> Tue, 08 Dec 2020 13:53:38 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532330#M89498 richgalloway 2020-12-08T13:53:38Z https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532331#M89499 <P>I think I found a solution already as provided here:</P><P><A title="solution" href="https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-Multi-line-event-into-single-event/m-p/492332" target="_blank" rel="noopener">Unable-to-break-Multi-line-event-into-single-event</A>&nbsp;</P><P>When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this:&nbsp;</P><LI-CODE lang="markup">LINE_BREAKER = (\d{3}&amp;&amp;&amp;)</LI-CODE> Tue, 08 Dec 2020 13:53:58 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532331#M89499 avoelk 2020-12-08T13:53:58Z https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532334#M89500 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;,</P><P>thanks for your answer, that's exactly what I just figured out <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thanks for your fast reply tho! if I wouldn't have tried this a minute ago this would've been my life saver.</P><P>and you're right - I missread props.conf.spec . What could be used is BREAK_ONLY_BEFORE or MUST_BREAK_AFTER</P> Tue, 08 Dec 2020 13:57:29 GMT https://community.splunk.com/t5/Getting-Data-In/Line-Break-in-multiline-event-doesn-t-work/m-p/532334#M89500 avoelk 2020-12-08T13:57:29Z