https://community.splunk.com/t5/Getting-Data-In/individual-event-props-conf/m-p/14276#M96499 <P>I am expecting to see each record as an event, but the result is not as expected. Some records are displayed as individual events, but some are grouped into one event.</P> <H2>The result set looks like this:</H2> <P>1 5/26/10 9:19:21.000 AM FI.02-8947FI.02-8957FI.02-8979FI.03-8087FI.03-8171FI.03-8208FI.03-8270FI.03-8013FI.03-8278FI.03-8314 Show all 131 lines 2 5/26/10 9:19:20.000 AM FI.02-8886</P> <P>3 5/26/10 9:19:20.000 AM FI.02-8877</P> <P>4 5/26/10</P> <H2>9:19:20.000 AM FI.02-8865</H2> <H2>Following below are the contents of props.conf file:</H2> <P>[host::imappl01dev] LINE_BREAKER = ([\r\n]+)</P> <H2>MAX_EVENTS = 1</H2> <H2>Following below are the contents of inputs.conf file:</H2> <P>[default]</P> <P>[monitor:///opt/applocal/sb1/utils/log/ADO_COUNT/*N0ADOs_to_be_Consolidated*] index = iss-rdr sourcetype = IntADOsNotConsolidated</P> <P>[monitor:///opt/applocal/sb1/utils/log/ADO_COUNT/] index = iss-rdr sourcetype = IntADOsNotNormalized whitelist = /ADOsNotNormalized/?</P> <P></P><HR /><P></P> <P>Please help me to see each record as an individual event.</P> <P>Thank you </P> Wed, 26 May 2010 21:11:27 GMT msenthilganesh 2010-05-26T21:11:27Z https://community.splunk.com/t5/Getting-Data-In/individual-event-props-conf/m-p/14276#M96499 <P>I am expecting to see each record as an event, but the result is not as expected. Some records are displayed as individual events, but some are grouped into one event.</P> <H2>The result set looks like this:</H2> <P>1 5/26/10 9:19:21.000 AM FI.02-8947FI.02-8957FI.02-8979FI.03-8087FI.03-8171FI.03-8208FI.03-8270FI.03-8013FI.03-8278FI.03-8314 Show all 131 lines 2 5/26/10 9:19:20.000 AM FI.02-8886</P> <P>3 5/26/10 9:19:20.000 AM FI.02-8877</P> <P>4 5/26/10</P> <H2>9:19:20.000 AM FI.02-8865</H2> <H2>Following below are the contents of props.conf file:</H2> <P>[host::imappl01dev] LINE_BREAKER = ([\r\n]+)</P> <H2>MAX_EVENTS = 1</H2> <H2>Following below are the contents of inputs.conf file:</H2> <P>[default]</P> <P>[monitor:///opt/applocal/sb1/utils/log/ADO_COUNT/*N0ADOs_to_be_Consolidated*] index = iss-rdr sourcetype = IntADOsNotConsolidated</P> <P>[monitor:///opt/applocal/sb1/utils/log/ADO_COUNT/] index = iss-rdr sourcetype = IntADOsNotNormalized whitelist = /ADOsNotNormalized/?</P> <P></P><HR /><P></P> <P>Please help me to see each record as an individual event.</P> <P>Thank you </P> Wed, 26 May 2010 21:11:27 GMT https://community.splunk.com/t5/Getting-Data-In/individual-event-props-conf/m-p/14276#M96499 msenthilganesh 2010-05-26T21:11:27Z https://community.splunk.com/t5/Getting-Data-In/individual-event-props-conf/m-p/14277#M96500 <P>Your issues is with event breaking not line breaking. (You shouldn't have to mess with the <CODE>LINE_BREAKER</CODE> setting.)</P> <P>I'm not sure if you assigned line numbers to your events of they are in the raw event data. If they are in the raw data, then it's possible that your it is confusing the date parser. So probably the best place to start is by setting up an explicit date format and telling splunk what junk to expect before the date. (The example given will match with or without the leading digit, so it should work either way.)</P> <P>I would try setting the following in your <CODE>props.conf</CODE> file: (Note that I'm using the sourcetype of your events instead of creating a <CODE>host::</CODE> matching stanza because that's generally a better approach, at least from my experience.)</P> <PRE><CODE>[IntADOsNotConsolidated] TIME_PREFIX = ^(?:\d+ +)? # Date look like: 5/26/10 9:19:21.000 AM TIME_FORMAT = %m/%d/%y %I:%M:%S.%3N %P BREAK_ONLY_BEFORE_DATE = True </CODE></PRE> <P>If your event are always exactly one line, then you can remove the <CODE>BREAK_ONLY_BEFORE_DATE</CODE> entry, and replace it with the following:</P> <PRE><CODE>SHOULD_LINEMERGE = False </CODE></PRE> <P>As with all settings like this, these changes to your <CODE>props.conf</CODE> file will only effect newly indexed data after a splunk restart.</P> Wed, 26 May 2010 21:19:42 GMT https://community.splunk.com/t5/Getting-Data-In/individual-event-props-conf/m-p/14277#M96500 Lowell 2010-05-26T21:19:42Z