https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149964#M9105 <P>I get 2 events (one for the "event" part and 1 for the "message" part) instead of 1 event.</P> <P>Raw logged lines:<BR /> <PRE><BR /> &lt;log4j:event category="com.myapp.shr.util.sql.SelectStatement" timestamp="1405542493235" level="DEBUG" thread="xxx"&gt;<BR /> &lt;log4j:message xxxxCategory="1" messageKey="LOG_SELECTSTATEMENTEXECUTEQUERYRETURNED" arg1="jdbc:oracle:thin:@xxx:1521:yyy" arg2="Oracle" arg3=" 0ms" arg4="SELECT A,B,C FROM TABLE1" arg5="xxx" bracketingId=" "&gt;&lt;![CDATA[Duration: 0ms SQL: SELECT A,B,C FROM TABLE1<BR /> Server: jdbc:oracle:thin:@xxx:1521:yyy:<BR /> DB: Oracle<BR /> xxx] ]]&gt;&lt;/log4j:message&gt;<BR /> &lt;/log4j:event&gt;<BR /> </PRE></P> <P>My C:\Program Files\Splunk\etc\system\local\props.conf contains:</P> <PRE> [source::...\\logs\\YYY.log4j] sourcetype = YYY TIME_PREFIX = timestamp= SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)&lt;log4j:event </PRE> <P>YYY.log4j logfiles are getting sent via Splunk Universal Forwarder (tcp).</P> <P>Shouldn't the above settings combine the lines to create 1 event?</P> Sat, 19 Jul 2014 01:08:49 GMT NK_1 2014-07-19T01:08:49Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149964#M9105 <P>I get 2 events (one for the "event" part and 1 for the "message" part) instead of 1 event.</P> <P>Raw logged lines:<BR /> <PRE><BR /> &lt;log4j:event category="com.myapp.shr.util.sql.SelectStatement" timestamp="1405542493235" level="DEBUG" thread="xxx"&gt;<BR /> &lt;log4j:message xxxxCategory="1" messageKey="LOG_SELECTSTATEMENTEXECUTEQUERYRETURNED" arg1="jdbc:oracle:thin:@xxx:1521:yyy" arg2="Oracle" arg3=" 0ms" arg4="SELECT A,B,C FROM TABLE1" arg5="xxx" bracketingId=" "&gt;&lt;![CDATA[Duration: 0ms SQL: SELECT A,B,C FROM TABLE1<BR /> Server: jdbc:oracle:thin:@xxx:1521:yyy:<BR /> DB: Oracle<BR /> xxx] ]]&gt;&lt;/log4j:message&gt;<BR /> &lt;/log4j:event&gt;<BR /> </PRE></P> <P>My C:\Program Files\Splunk\etc\system\local\props.conf contains:</P> <PRE> [source::...\\logs\\YYY.log4j] sourcetype = YYY TIME_PREFIX = timestamp= SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)&lt;log4j:event </PRE> <P>YYY.log4j logfiles are getting sent via Splunk Universal Forwarder (tcp).</P> <P>Shouldn't the above settings combine the lines to create 1 event?</P> Sat, 19 Jul 2014 01:08:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149964#M9105 NK_1 2014-07-19T01:08:49Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149965#M9106 <P>Try splitting up your props.conf like this:</P> <PRE><CODE>[source::...\\logs\\YYY.log4j] sourcetype = YYY [YYY] TIME_PREFIX = timestamp= SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)&lt;log4j:event </CODE></PRE> Sat, 19 Jul 2014 09:58:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149965#M9106 martin_mueller 2014-07-19T09:58:35Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149966#M9107 <P>Adding the [YYY] stanza still makes Splunk use the old/default YYY split events. I tried using a new sourcetype name instead of YYY, and it does not get used. Should I be using a different props.conf file, or should I try to make Splunk "forget" that it ever saw a wrong YYY format?</P> Sat, 19 Jul 2014 19:05:58 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149966#M9107 NK_1 2014-07-19T19:05:58Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149967#M9108 <P>Splunk had "learned" and cached some bad formats for sourcetype YYY in props.conf and sourcetypes.conf under etc\apps\learned\local\</P> <P>Clearing those out made the YYY stanza in props.conf under etc\system\local\ work properly.</P> <P>Thanks!</P> Sun, 20 Jul 2014 23:05:17 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-splits-multi-line-log4j-xml-event/m-p/149967#M9108 NK_1 2014-07-20T23:05:17Z