https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49446#M9387 <P>In props.conf, change MAX_EVENTS</P> <PRE><CODE>MAX_EVENTS = &lt;integer&gt; * Specifies the maximum number of input lines to add to any event. * Splunk breaks after the specified number of lines are read. * Defaults to 256. </CODE></PRE> Tue, 14 Sep 2010 04:24:52 GMT dwaddle 2010-09-14T04:24:52Z https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49445#M9386 <P>Hi all,</P> <P>I have the following output from a Perl script that runs every 5 mins:</P> <PRE><CODE>09-13-2010 16:21:20 - Inventory Report DATACENTER, CLUSTER, VMHOST, VM PPD, DNSAS-Cluster1, dnsas-esx1, dnsa-secweb1 PPD, DNSAS-Cluster1, dnsas-esx1, dnsasval1-dev9 PPD, DNSAS-Cluster1, dnsas-esx1, ddist3-dev9 PPD, DNSAS-Cluster1, dnsas-esx1, dmplupe1-dev9 PPD, DNSAS-Cluster1, dnsas-esx1, dnsasext1-dev9 ... ... ... (520 lines) </CODE></PRE> <P>And this is how my props.conf looks like:</P> <PRE><CODE>[source::vm_inventory] SHOULD_LINEMERGE=True BREAK_ONLY_BEFORE_DATE=True TIME_FORMAT=%m-%d-%Y %H:%M:%S </CODE></PRE> <P>However the events got truncated into 256 line chunks. Am I missing anything here? Or should I do it this way?</P> <PRE><CODE>[source::vm_inventory] TRUNCATE = 0 LINE_BREAKER = (?!) </CODE></PRE> Tue, 14 Sep 2010 04:16:12 GMT https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49445#M9386 Nicholas_Key 2010-09-14T04:16:12Z https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49446#M9387 <P>In props.conf, change MAX_EVENTS</P> <PRE><CODE>MAX_EVENTS = &lt;integer&gt; * Specifies the maximum number of input lines to add to any event. * Splunk breaks after the specified number of lines are read. * Defaults to 256. </CODE></PRE> Tue, 14 Sep 2010 04:24:52 GMT https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49446#M9387 dwaddle 2010-09-14T04:24:52Z https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49447#M9388 <P>You can either set <CODE>MAX_EVENTS</CODE> high, which will take CR-LF delimited lines and merge them up to 256 lines, <EM>or</EM> you can use the</P> <PRE><CODE>TRUNCATE = 0 LINE_BREAKER = (?!) SHOULD_LINEMERGE = false </CODE></PRE> <P>method, <EM>except</EM> that the <CODE>LINE_BREAKER = (?!)</CODE> will <EM>only</EM> split an event at the end of input, i.e., it's only going to work when you get a new file, or if it's a scripted input that gets invoked once for each event. <CODE>SHOULD_LINEMERGE = false</CODE> potentially has much better performance, but probably if you use it, you should use:</P> <PRE><CODE>LINE_BREAKER = ([\r\n]+)\d{2}-\d{2}-\d{4}\s+\d{1,2}:\d{2}:\d{2} </CODE></PRE> <P>FURTHERMORE, I notice that you don't have a time zone specified in your timestamp, I <EM>strongly</EM> recommend that you include the time zone in your timestamp (unless you are committed to always logging those in UTC, in which case it wouldn't hurt to include <CODE>Z</CODE> at the end anyway).</P> Tue, 14 Sep 2010 06:16:50 GMT https://community.splunk.com/t5/Getting-Data-In/Events-chunked-into-256-lines/m-p/49447#M9388 gkanapathy 2010-09-14T06:16:50Z