https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304513#M165646 <P>Then your parsing settings need to go on the indexer as the UF does not do any event parsing.</P> Fri, 13 Oct 2017 01:47:55 GMT s2_splunk 2017-10-13T01:47:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304508#M165641 <P>I want the one event in the picture to be broken into many events with the spaces in between. How do I do so with props.conf ?</P> <P>Heres what i tried in my props.conf i tried "LINE_BREAKER = \s" and "LINE_BREAKER = [\s]"<BR /> [daemontest]<BR /> LINE_BREAKER = ([\s]+)<BR /> SHOULD_LINEMERGE = false</P> <P><IMG src="https://community.splunk.com/storage/temp/216802-one-event.png" alt="alt text" /></P> Tue, 29 Sep 2020 16:13:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304508#M165641 Kitteh 2020-09-29T16:13:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304509#M165642 <P>"LINE_BREAKER = ([\s]+)" with "SHOULD_LINEMERGE=false" should work, and it works for me after mocking up a similar example and using the preview feature of "Add Data".</P> <P>Are you sure those settings are being applied, i.e. are you restarting/refreshing Splunk after editing props.conf?</P> Tue, 29 Sep 2020 16:13:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304509#M165642 jhigginsmq 2020-09-29T16:13:54Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304510#M165643 <P>Are you configuring props.conf on the splunk instance that parses your event stream? That would be either your indexer, or a heavy forwarder you may have in your data ingest path.</P> Thu, 12 Oct 2017 18:43:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304510#M165643 s2_splunk 2017-10-12T18:43:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304511#M165644 <P>I am using universal forwarder </P> Fri, 13 Oct 2017 01:10:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304511#M165644 Kitteh 2017-10-13T01:10:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304512#M165645 <P>Yes i've restart everytime i finished editing props.conf</P> Fri, 13 Oct 2017 01:17:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304512#M165645 Kitteh 2017-10-13T01:17:15Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304513#M165646 <P>Then your parsing settings need to go on the indexer as the UF does not do any event parsing.</P> Fri, 13 Oct 2017 01:47:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304513#M165646 s2_splunk 2017-10-13T01:47:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304514#M165647 <P>See above, these settings have no effect on the UF, they need to go on the indexer, which is where the event parsing happens.<BR /> All the forwarder sees are 64KB chunks of data read from a monitored file or received on a network input.</P> Fri, 13 Oct 2017 01:49:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304514#M165647 s2_splunk 2017-10-13T01:49:02Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304515#M165648 <P>This has been fixed by adding the parameter "BREAK_ONLY_BEFORE=\s"</P> <P>[daemontest]<BR /> LINE_BREAKER = ([\s]+)<BR /> BREAK_ONLY_BEFORE =\s<BR /> SHOULD_LINEMERGE = false</P> <P>Above is my parameters used just by splitting events with space.</P> Tue, 29 Sep 2020 16:14:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-into-multiple-events-just-by-space/m-p/304515#M165648 Kitteh 2020-09-29T16:14:40Z