https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469847#M99637 <P>Hi Mayurr, did not want to leave this question open ended, but I am still working on a solution. From working with our teams it seems that these particular settings are being overridden by the Indexer, which I do not have direct access to. </P> Tue, 10 Sep 2019 13:04:58 GMT ryancmiller 2019-09-10T13:04:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469836#M99626 <P>With multi-line logs, I am trying to linebreak on an obvious linebreaker of dashes (----------------------------------------------------------). (Note in the below examples it appears to be coming across as a whole line, but it should be like above).</P> <P><STRONG>Example log:</STRONG></P> <P>ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84<BR /> EventId : 300<BR /> Keywords : 4<BR /> Level : Informational<BR /> Message : Application information<BR /> Opcode : Info<BR /> Task : 65234<BR /> Version : 0<BR /> Payload : Generic information<BR /> EventName : InfoInfo<BR /> ProcessId : 6528<BR /> ThreadId : 12524</P> <H2>Timestamp : 2019-08-30 12:32:50 PM</H2> <P>I've tried various regex expressions, one such as <STRONG>^(\s+)-+(\s+)$</STRONG> to break on the line, but the results don't seem to work. Also Splunk seems to interpret the Timestamp as the beginning of the log but it is actually the last part of the log before the linebreak.</P> <P>In general Splunk will display the events as (note the Timestamp is first, but it should be last):</P> <P><STRONG>Example results:</STRONG></P> <H2>Timestamp : 2019-08-30 12:32:50 PM</H2> <P>ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84<BR /> EventId : 300<BR /> Keywords : 4<BR /> ...</P> Fri, 30 Aug 2019 16:37:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469836#M99626 ryancmiller 2019-08-30T16:37:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469837#M99627 <P>try setting <CODE>BREAK_ONLY_BEFORE = ProviderId</CODE> in your props.conf</P> Fri, 30 Aug 2019 17:34:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469837#M99627 mayurr98 2019-08-30T17:34:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469838#M99628 <P>That seems like a good idea actually, but for some reason it is tending to bunch up a lot of events together, or still putting the timestamp at the top. In some cases it does take out the Timestamp and includes it only as part of the Event Time itself (which is fine). I modified the props.conf within \etc\system\local and restarted the service. </P> <P>The <STRONG>props.conf</STRONG> config looks like this:</P> <P>[sourceTypeName]<BR /> BREAK_ONLY_BEFORE = ProviderId</P> <P><STRONG>Splunk Event examples:</STRONG></P> <P>... 1 line omitted ...<BR /> ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84<BR /> ... 13 lines omitted ...<BR /> ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84<BR /> ... 13 lines omitted ...<BR /> ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84<BR /> ... 13 lines omitted ...<BR /> ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84<BR /> ... 13 lines omitted ...<BR /> ProviderId : 453af5ee-6772-55ce-39b3-0f9307a96b84</P> Wed, 30 Sep 2020 02:01:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469838#M99628 ryancmiller 2020-09-30T02:01:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469839#M99629 <P>you have only BREAK_ONLY_BEFORE in props.conf for that stanza?</P> <P>could you share the entire configuration for that sourcetype?</P> Wed, 30 Sep 2020 02:01:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469839#M99629 mayurr98 2020-09-30T02:01:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469840#M99630 <P>Sure, here (from the Splunk UI). They are basically the default settings I believe:</P> <P>Name Value<BR /><BR /> CHARSET <STRONG>AUTO</STRONG><BR /> DATETIME_CONFIG <STRONG>[blank]</STRONG><BR /> LINE_BREAKER <STRONG>([\r\n]+)</STRONG><BR /> NO_BINARY_CHECK <STRONG>true</STRONG><BR /> SHOULD_LINEMERGE <STRONG>true</STRONG><BR /> category <STRONG>Custom</STRONG><BR /> disabled <STRONG>false</STRONG><BR /> pulldown_type <STRONG>true</STRONG></P> Wed, 30 Sep 2020 02:01:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469840#M99630 ryancmiller 2020-09-30T02:01:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469841#M99631 <P>And yes, that is the only line for the stanza. Created the props.conf file specifically for it.</P> Fri, 30 Aug 2019 18:17:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469841#M99631 ryancmiller 2019-08-30T18:17:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469842#M99632 <P>why there is <CODE>LINE_BREAKER</CODE>? when you have break_only_before<BR /> comment all that and try this new :</P> <PRE><CODE> [your_sourcetype] CHARSET = SHOULD_LINEMERGE = true NO_BINARY_CHECK = true BREAK_ONLY_BEFORE = ProviderId TIME_FORMAT = %Y-%m-%d %I:%M:%S %p TIME_PREFIX = Timestamp\s:\s </CODE></PRE> <P>and change it from the backend</P> Wed, 30 Sep 2020 02:01:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469842#M99632 mayurr98 2020-09-30T02:01:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469843#M99633 <P>The above was taken directly from the Splunk UI, which autogenerated that LINE_BREAKER.</P> <P>In props.conf, it is as you've just described.</P> <P>Could there be any conflicts?</P> Tue, 03 Sep 2019 15:28:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469843#M99633 ryancmiller 2019-09-03T15:28:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469844#M99634 <P>One more point to note, after the dashed line is a blank line. The line could break on the blank line instead of the dashes.</P> Tue, 03 Sep 2019 15:34:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469844#M99634 ryancmiller 2019-09-03T15:34:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469845#M99635 <P>Try adding MAX_TIMESTAMP_LOOKAHEAD to your props stanza:</P> <P>MAX_TIMESTAMP_LOOKAHEAD = 320</P> <P>if the content length varies, use a value appropriate for the variance:</P> <P>MAX_TIMESTAMP_LOOKAHEAD = 512</P> <P>I use multiples of 64 on x86-64 "just in case" Splunk allocates this as a separate buffer. Different architectures have different cache line sizes.</P> Wed, 30 Sep 2020 01:58:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469845#M99635 tscroggins 2020-09-30T01:58:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469846#M99636 <P>Could I be doing something wrong with the configuration itself? For example, if I try renaming the sourcetype, the new sourcetype doesn't take affect. Is there an easy way to check out what attributes are being applied?</P> Tue, 03 Sep 2019 18:09:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469846#M99636 ryancmiller 2019-09-03T18:09:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469847#M99637 <P>Hi Mayurr, did not want to leave this question open ended, but I am still working on a solution. From working with our teams it seems that these particular settings are being overridden by the Indexer, which I do not have direct access to. </P> Tue, 10 Sep 2019 13:04:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-event-break-on-multiple-dashes/m-p/469847#M99637 ryancmiller 2019-09-10T13:04:58Z