https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470597#M99666 <P>Take a look at this data onboarding cheat sheet published by Aplura, it is a great guide to establish your data onboarding practices:<BR /> <A href="https://www.aplura.com/assets/pdf/onboarding_cheatsheet.pdf">https://www.aplura.com/assets/pdf/onboarding_cheatsheet.pdf</A></P> Tue, 31 Dec 2019 15:31:14 GMT mydog8it 2019-12-31T15:31:14Z https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470596#M99665 <P>Hello, </P> <P>I have a file monitor for a log file where I am getting indexed data with multiple lines. Example of one event:</P> <P>2019-12-30 09:16:41:908: Requestor: IMM_Mobile, IsLocal: False<BR /> 2019-12-30 09:16:41:908: 637132942019089151: Scanned CID: BARCODE:</P> <P>Now i notice that it is the same time but they should still be separate events. i have read where someone suggested SHOULD_LINEMERGE = false, however if I am reading the documentation correctly, the SHOULD_LINEMERGE = true and BREAK_ONLY_BEFORE_DATE = true being the defaults should be processing the above as two separate events. What am I misunderstanding?</P> <P>I am hesitant to configure SHOULD_LINEMERGE = false because I think it may be needed for other events that span multiple lines.</P> <P>only other thing I can think of is possibly my props/transforms might be screwing with the data in some other way. Below are what I think are the relevant portions of my props/transforms:</P> <P>Props:<BR /> [mySourceType]<BR /> TRANSFORMS-set= setnull,setparsing<BR /> TRANSFORMS-sourcetype= setNewSourceType</P> <P>Transforms:<BR /> [setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = \b(?:offline|online|\d{4}-d{2}-d{2}\s+\d{2}:\d{2}:\d{2}:\d{3}:\s+\d{18}:\s)\b<BR /> DESK_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[setNewSourceType]<BR /> REGEX = \b(\d{4}-d{2}-d{2}\s+\d{2}:\d{2}:\d{2}:\d{3}:\s+\d{18}:\s)<BR /> FORMAT = sourcetype::NewSourceType<BR /> DEST_KEY = MetaData:Sourcetype</P> <P>Thanks for any assistance!<BR /> David</P> Wed, 30 Sep 2020 03:27:17 GMT https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470596#M99665 dglass0215 2020-09-30T03:27:17Z https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470597#M99666 <P>Take a look at this data onboarding cheat sheet published by Aplura, it is a great guide to establish your data onboarding practices:<BR /> <A href="https://www.aplura.com/assets/pdf/onboarding_cheatsheet.pdf">https://www.aplura.com/assets/pdf/onboarding_cheatsheet.pdf</A></P> Tue, 31 Dec 2019 15:31:14 GMT https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470597#M99666 mydog8it 2019-12-31T15:31:14Z https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470598#M99667 <P>While this might be slightly useful it does not answer my question. Do you know why the two lines above are one event? And do you know how I can fix it? Thanks!</P> Thu, 02 Jan 2020 18:58:16 GMT https://community.splunk.com/t5/Getting-Data-In/log-file-not-parsing-properly-multiple-lines-per-event/m-p/470598#M99667 dglass0215 2020-01-02T18:58:16Z