https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306978#M160096 <P>SHOULD_LINEMERGE= TRUE, try with that </P> Mon, 17 Jul 2017 05:39:34 GMT bic 2017-07-17T05:39:34Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306975#M160093 <P>SHOULD_LINEMERGE = true<BR /> MAX_EVENTS = 99999<BR /> TRUNCATE = 9999999</P> <HR /> <P>SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = ((FAIL*))</P> <P>I have tried both of above (trying each one at a time) in indexer props.conf ...and restarted splunk..to have a simple text file , entire file to go to single event but whatever I do splunk automatically splitting the file into 2 events<BR /> Is there any way to have the entire file to single event</P> <P>Thank you in advance<BR /> AB</P> Tue, 29 Sep 2020 14:52:27 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306975#M160093 722624 2020-09-29T14:52:27Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306976#M160094 <P>in the LINE_BREAKER you can use regular expression to match end of file , something like (.*?) . Hope that should not break your file into two parts</P> Fri, 14 Jul 2017 08:59:37 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306976#M160094 bic 2017-07-14T08:59:37Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306977#M160095 <P>[sourcetype]<BR /> SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = (.*?)</P> <P>I tried the above... still file is split into two events....the same regex (.*?) in regex101.com is selecting the entire file</P> <P>Thank you<BR /> AB</P> Tue, 29 Sep 2020 14:53:00 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306977#M160095 722624 2020-09-29T14:53:00Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306978#M160096 <P>SHOULD_LINEMERGE= TRUE, try with that </P> Mon, 17 Jul 2017 05:39:34 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306978#M160096 bic 2017-07-17T05:39:34Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306979#M160097 <P>Actually documentation asked to have SHOULD_LINEMERGE= false for LINE_BREAKER ...<BR /> anyways tried your suggestion also ...<BR /> No Luck <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Thank you<BR /> AB</P> Tue, 29 Sep 2020 14:53:03 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306979#M160097 722624 2020-09-29T14:53:03Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306980#M160098 <P>surprisingly...If i download the file to my PC and upload with same source type then it is reading entire file as single event....<BR /> But if the same log file is coming from forwarder, then file is being split into 2 event...</P> <P>Anybody? please help</P> <P>Thank you<BR /> AB</P> Mon, 17 Jul 2017 07:44:13 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306980#M160098 722624 2017-07-17T07:44:13Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306981#M160099 <P>please check the queue size from the forwarder , try indexing a smaller file and see if that is coming through in one piece </P> Mon, 17 Jul 2017 07:48:33 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306981#M160099 bic 2017-07-17T07:48:33Z https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306982#M160100 <P>this file is 90 lines only hardly 4kb in size....</P> Mon, 17 Jul 2017 08:07:47 GMT https://community.splunk.com/t5/Splunk-Search/entire-file-to-a-single-event/m-p/306982#M160100 722624 2017-07-17T08:07:47Z