https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46734#M11174 <P>Assuming that all events in the log file follow this format you should configure like so;</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype_here] SHOULD_LINEMERGE = false TIME_PREFIX = : TIME_FORMAT = %Y%m%d:%H%M%S.%3N </CODE></PRE> <P><CODE>SHOULD_LINEMERGE = false</CODE> implies that all events are single-line, and you should not need to specify any <CODE>LINE_BREAKER</CODE>. </P> <P><CODE>MUST_NOT_BREAK_AFTER</CODE> and similar <CODE>BREAK_ONLY_BEFORE...</CODE> etc are only relevant when <CODE>SHOULD_LINEMERGE = true</CODE></P> <P>Hope this helps,</P> <P>K</P> Mon, 26 Aug 2013 19:54:38 GMT kristian_kolb 2013-08-26T19:54:38Z https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46733#M11173 <P>Need some help breaking an event out into multiple events.</P> <P>For example the following event:</P> <PRE><CODE> 7368:20130826:133019.286 status 7368:20130826:133019.389 status 7368:20130826:133019.414 status 7368:20130826:133019.433 status </CODE></PRE> <P>The format is pid:date/timestamp space status</P> <P>I have tried adding the following things to the indexer:</P> <P>props.conf:</P> <PRE><CODE>[sourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = (\d+:%Y%m%d:%H%M%S.%3N\s)([\r\n]) </CODE></PRE> <P>and</P> <PRE><CODE>MUST_BREAK_AFTER = (\d+:%Y%m%d:%H%M%S.%3N\s)|([\r\n]) </CODE></PRE> <P>Neither of the above seems to have any effect either good or bad on the data even after restarting the service.</P> <P>What I want is everytime splunk encounters the above format of pid:date/timestamp it creates a new event.</P> <P>Splunk does seem to be matching the date/timestamps up correctly it just seems to lump all the events under the one event.</P> <P>Since I'm new to both splunk and regex expressions I'm not sure the best way to go about this.</P> Mon, 26 Aug 2013 19:37:06 GMT https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46733#M11173 sir_reel 2013-08-26T19:37:06Z https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46734#M11174 <P>Assuming that all events in the log file follow this format you should configure like so;</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype_here] SHOULD_LINEMERGE = false TIME_PREFIX = : TIME_FORMAT = %Y%m%d:%H%M%S.%3N </CODE></PRE> <P><CODE>SHOULD_LINEMERGE = false</CODE> implies that all events are single-line, and you should not need to specify any <CODE>LINE_BREAKER</CODE>. </P> <P><CODE>MUST_NOT_BREAK_AFTER</CODE> and similar <CODE>BREAK_ONLY_BEFORE...</CODE> etc are only relevant when <CODE>SHOULD_LINEMERGE = true</CODE></P> <P>Hope this helps,</P> <P>K</P> Mon, 26 Aug 2013 19:54:38 GMT https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46734#M11174 kristian_kolb 2013-08-26T19:54:38Z https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46735#M11175 <P>Can this still be used if not all entries in the log file follow that format?</P> <P>There are some entries that do not have a clear date/time stamp. I am not as concerned that those get separated out properly as I am that every time splunk hits the above date/time stamp it creates a new event.</P> Mon, 26 Aug 2013 20:33:02 GMT https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46735#M11175 sir_reel 2013-08-26T20:33:02Z https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46736#M11176 <P>This worked perfectly, thanks Kristian.</P> Thu, 29 Aug 2013 14:49:50 GMT https://community.splunk.com/t5/Splunk-Search/Seperate-One-Event-into-Multiple-Events/m-p/46736#M11176 sir_reel 2013-08-29T14:49:50Z