https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415945#M174335 <PRE><CODE># /opt//splunkforwarder/bin/splunk btool props list audit [audit] ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = ([\r\n]+)\x23 BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml HEADER_MODE = LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 27 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = true TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z TIME_PREFIX = ^\x23\s TRANSFORMS = TRUNCATE = 10000 detect_trailing_nulls = false maxDist = 500 priority = sourcetype = </CODE></PRE> Fri, 30 Nov 2018 14:41:43 GMT ktn01 2018-11-30T14:41:43Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415941#M174331 <P>Hello,</P> <P>I have to break an event that begins with a # on the first line.</P> <PRE><CODE>ds-sync-hist: modifyTimestamp:00000167645c911a3acb006bebe0:repl:20181130112407Z - # 30/Nov/2018:12:24:09 +0100; conn=-3; op=70042 dn: dc changetype: modify replace: ds-sync-state ds-sync-state: 00000167645c911a3acb006bebe0 ds-sync-state: 000001545149cb662a7e00000008 ds-sync-state: 000001547c812c73545b00000006 ds-sync-state: 0000015451332949677000030def ds-sync-state: 000001670cc99f4378f6000132aa - # 30/Nov/2018:12:26:03 +0100; conn=-2; op=70043 dn: u... </CODE></PRE> <P>I tried with <CODE>BREAK_ONLY_BEFORE = ^\#</CODE> and <CODE>BREAK_ONLY_BEFORE = ^#</CODE>on <CODE>props.conf</CODE> but this does not work probably because # is interpreted as the beginning of a comment.</P> <P>here is the content of my <CODE>props.conf</CODE></P> <PRE><CODE>[audit] TIME_PREFIX = ^#\s TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z MAX_TIMESTAMP_LOOKAHEAD = 27 BREAK_ONLY_BEFORE = ^\# SHOULD_LINEMERGE = true </CODE></PRE> <P>Thanks</P> Fri, 30 Nov 2018 13:08:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415941#M174331 ktn01 2018-11-30T13:08:27Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415942#M174332 <P>When you run <CODE>btool props list audit</CODE> what does it show for TIME_PREFIX and BREAK_ONLY_BEFORE?</P> Tue, 29 Sep 2020 22:09:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415942#M174332 richgalloway 2020-09-29T22:09:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415943#M174333 <P>Not sure if that break only before would be the right solution anyway, even if the character wouldn't be causing special behavior.</P> <P>I'd say, try this:</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)# </CODE></PRE> <P>or, to prevent issues with the <CODE>#</CODE></P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\x23 TIME_PREFIX = ^\x23\s </CODE></PRE> <P><A href="https://regex101.com/r/EPG7gB/1">https://regex101.com/r/EPG7gB/1</A></P> Fri, 30 Nov 2018 13:34:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415943#M174333 FrankVl 2018-11-30T13:34:58Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415944#M174334 <P>Thank's for your answer but my new <CODE>props.conf</CODE> does not work better:</P> <PRE><CODE>[audit] TIME_PREFIX = ^\x23\s TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z MAX_TIMESTAMP_LOOKAHEAD = 27 BREAK_ONLY_BEFORE = ([\r\n]+)\x23 SHOULD_LINEMERGE = true </CODE></PRE> Fri, 30 Nov 2018 14:11:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415944#M174334 ktn01 2018-11-30T14:11:06Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415945#M174335 <PRE><CODE># /opt//splunkforwarder/bin/splunk btool props list audit [audit] ANNOTATE_PUNCT = True AUTO_KV_JSON = true BREAK_ONLY_BEFORE = ([\r\n]+)\x23 BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml HEADER_MODE = LEARN_MODEL = true LEARN_SOURCETYPE = true LINE_BREAKER_LOOKBEHIND = 100 MATCH_LIMIT = 100000 MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 27 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = SEGMENTATION = indexing SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = outer SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = true TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z TIME_PREFIX = ^\x23\s TRANSFORMS = TRUNCATE = 10000 detect_trailing_nulls = false maxDist = 500 priority = sourcetype = </CODE></PRE> Fri, 30 Nov 2018 14:41:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415945#M174335 ktn01 2018-11-30T14:41:43Z https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415946#M174336 <P>Ok, so the issue probably wasn't (only) with the <CODE>#</CODE> character. As I mentioned: try using line_breaker and linemerge = false, instead of break only before.</P> Fri, 30 Nov 2018 15:47:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-break-multiline-events-beginning-with-a/m-p/415946#M174336 FrankVl 2018-11-30T15:47:58Z