https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372738#M40423 <P>Thanks niketnilay</P> <P>I had to add a new sourcetype with<BR /> 1. SHOULD_LINEMERGE = false<BR /> 2 removed BREAK_ONLY_BEFORE attribute</P> <P>...then pointed our data to this new sourcetype. Worked a treat.</P> <P>Alex</P> Tue, 29 Sep 2020 16:49:54 GMT alexmartinez 2020-09-29T16:49:54Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372735#M40420 <P>Sorry new to Splunk...I've a single logfile with entries that look like this:</P> <P>"15/11/2017 20:20:59","0","1803.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:00","0","1260.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:00","0","2415.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:01","0","134.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:01","0","808.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:02","0","261.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:02","0","646.xml","Copied to Amazon S3",5,"O"<BR /> "15/11/2017 20:21:03","0","1157.xml","Copied to Amazon S3",5,"O"</P> <P>Splunk is breaking this into events by timestamp (field 1) but because the above entries have repeating timestamps I only get the first event for each date. </P> <P>How can I insure that EACH line gets its own event? </P> Thu, 16 Nov 2017 14:02:16 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372735#M40420 alexmartinez 2017-11-16T14:02:16Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372736#M40421 <P>@alexmartinez, what is your current props.conf file settings for this sourcetype?</P> <P>If you want to break events on every line you should turn off line merge setting:</P> <PRE><CODE>SHOULD_LINEMERGE=false </CODE></PRE> <P>Refer to Splunk Documentation: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking">https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking</A></P> Thu, 16 Nov 2017 18:44:10 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372736#M40421 niketn 2017-11-16T18:44:10Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372737#M40422 <P>In my edit Source TYpe/advanced settings on the console for Splunk Enterprrse: </P> <P>BREAK_ONLY_BEFORE ([\n]+)<BR /> FIELD_NAMES logtimestamp,is_control_message,filename_message,status,file_status,error_type<BR /> INDEXED_EXTRACTIONS csv<BR /> NO_BINARY_CHECK true<BR /> SHOULD_LINEMERGE true <BR /> TIMESTAMP_FIELDS logtimestamp<BR /> TIME_FORMAT %d/%m/%Y %H:%M:%S<BR /> category Structured<BR /> disabled false<BR /> pulldown_type true</P> <P>I tried:<BR /> SHOULD_LINEMERGE = false as an admin user in the console but it reverts back to true! I also tried removing the attribute BREAK_ONLY_BEFORE but it won't let me. Can't I edit Advanced settings? </P> Tue, 29 Sep 2020 16:53:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372737#M40422 alexmartinez 2020-09-29T16:53:41Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372738#M40423 <P>Thanks niketnilay</P> <P>I had to add a new sourcetype with<BR /> 1. SHOULD_LINEMERGE = false<BR /> 2 removed BREAK_ONLY_BEFORE attribute</P> <P>...then pointed our data to this new sourcetype. Worked a treat.</P> <P>Alex</P> Tue, 29 Sep 2020 16:49:54 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372738#M40423 alexmartinez 2020-09-29T16:49:54Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372739#M40424 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201110">@niketn</a> that worked when i configured a new sourcetype with that attribute and also removed the BREAK_ONLY_BEFORE attribute . Then I pointed the datasource to this new sourcetype. Its all working now as expected.</P> Tue, 29 Sep 2020 16:53:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372739#M40424 alexmartinez 2020-09-29T16:53:52Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372740#M40425 <P>@alexmartinez, I have converted to answer, please accept.</P> Fri, 17 Nov 2017 14:43:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372740#M40425 niketn 2017-11-17T14:43:43Z https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372741#M40426 <P>@alexmartinez, please accept the answer if your issue is resolved.</P> Fri, 24 Nov 2017 04:34:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multiline-log-break-on-return-char-not-timestamp/m-p/372741#M40426 niketn 2017-11-24T04:34:41Z