https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189119#M187130 <P>sorry that was a typo on my part. I did include the backslashes in my props.conf file and it didn't work. I'm still getting multiple events grouped into a single Splunk event.</P> <P>I edited the props.conf file in <CODE>$SPLUNK_HOME/etc/system/local</CODE> because that's what the Splunk doc said to do: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents</A></P> <P>Should I be editing it in <CODE>$SPLUNK_HOME/etc/users/admin/search/local</CODE> instead? </P> Tue, 19 May 2015 20:38:08 GMT snandaku 2015-05-19T20:38:08Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189114#M187125 <P>Sample Data: {{"device_id":"a1c842ef8c0545f48e8e61d3e03c68bb","ip":"192.168.193.162","topic":"DEVICE","event":"device.access", "timestamp":"2015-05-05T20:55:30.904+0000"}}</P> <P>I want to break this into two separate events using <CODE>}}</CODE> as a delimiter: <BR /> {{"device_id":"a1c842ef8c0545f48e8e61d3e03c68bb","ip":"192.168.193.162","topic":"DEVICE","event":"device.access", "timestamp":"2015-05-05T20:55:30.904+0000"}}</P> <P>AND </P> <P>{{"source":{"email":"<A href="mailto:johndoe@acme.com">johndoe@acme.com</A>"}, "name":"John Doe"},"topic":"FILE","event":"file.create","timestamp":"2015-05-05T20:55:31.428+0000"}}</P> <P>I created a <CODE>props.conf</CODE> file in <CODE>$SPLUNK_HOME/etc/system/local</CODE>, added the following lines, and restarted splunkd, but it didn't work. <BR /> <CODE><BR /> SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = (}})<BR /> </CODE></P> <P>Any help would be much appreciated! </P> Fri, 15 May 2015 08:38:58 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189114#M187125 snandaku 2015-05-15T08:38:58Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189115#M187126 <P>Your sample data seems to be incomplete.</P> Fri, 15 May 2015 09:36:52 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189115#M187126 martin_mueller 2015-05-15T09:36:52Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189116#M187127 <P>Did you put the correct <CODE>sourcetype</CODE> in your stanza header? Try this (escape curly braces)</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = \}\}([\r\n]+) </CODE></PRE> Tue, 19 May 2015 15:01:50 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189116#M187127 woodcock 2015-05-19T15:01:50Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189117#M187128 <P>that didn't work either. This is exactly what I have in my <CODE>$SPLUNK_HOME/etc/system/local/props.conf</CODE> file: </P> <P><CODE><BR /> [_json]<BR /> SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = \}\}([\r\n]+)<BR /> </CODE></P> Tue, 19 May 2015 19:31:58 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189117#M187128 snandaku 2015-05-19T19:31:58Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189118#M187129 <P>First of all you should not be editing that file; you should make your own file in your own app directory. In any case, you did not preserve the backslashes. You have to use <EM>exactly</EM> what I wrote in my answer.</P> Tue, 19 May 2015 20:11:52 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189118#M187129 woodcock 2015-05-19T20:11:52Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189119#M187130 <P>sorry that was a typo on my part. I did include the backslashes in my props.conf file and it didn't work. I'm still getting multiple events grouped into a single Splunk event.</P> <P>I edited the props.conf file in <CODE>$SPLUNK_HOME/etc/system/local</CODE> because that's what the Splunk doc said to do: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Indexmulti-lineevents</A></P> <P>Should I be editing it in <CODE>$SPLUNK_HOME/etc/users/admin/search/local</CODE> instead? </P> Tue, 19 May 2015 20:38:08 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189119#M187130 snandaku 2015-05-19T20:38:08Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189120#M187131 <P>ok, so looks like the line break rule change in props.conf doesn't get applied to events that have already been indexed. New data coming in are getting split up correctly, so your instructions <EM>did</EM> work. But the older data that have already been indexed are not getting split up. Is there a way to force splunk to re-index <EM>everything</EM>? </P> Tue, 19 May 2015 21:19:22 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189120#M187131 snandaku 2015-05-19T21:19:22Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189121#M187132 <P>Yes, first you use this to remove the bad data:</P> <PRE><CODE>sourcetype=xxx | delete </CODE></PRE> <P>Then you do like this:<BR /> <A href="http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html">http://answers.splunk.com/answers/72562/how-to-reindex-data-from-a-forwarder.html</A></P> Wed, 20 May 2015 03:32:52 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189121#M187132 woodcock 2015-05-20T03:32:52Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189122#M187133 <P>As reported in other answers you should fix this in your props.conf at index time but if the data is already indexed you can break it as follows. Note you need the new line character after delim=" and can type it using shift-enter.</P> <PRE><CODE>|eval raw=_raw |makemv delim=" " raw | mvexpand raw | eval _raw=raw </CODE></PRE> <P>Any other fields the original event had will now be in all part events. i.e. If line3 had a user field, all 3 lines will have that user field. So you may want to delete them and re-extract for the lines with something like this. </P> <PRE><CODE>| fields - user | rex "user=\"(?&lt;user&gt;[^\"]+)\"" </CODE></PRE> Fri, 16 Feb 2018 13:46:22 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/189122#M187133 bmunson_splunk 2018-02-16T13:46:22Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/597508#M208023 <P class="lia-align-justify">Hi,</P><P class="lia-align-justify">How about a have an csv file, the forwarder should break into multilines, but it didn't. What should i write props.conf</P><P class="lia-align-justify">CSV looklike in 1 event:</P><PRE>G2nS32m2gEaFZUrh,UDP,2294,64021328,447952334,511973662,1652264015 xNeJ2gTvj9wAl5Hi,UDP,2294,15902274,180739240,196641514,1652263847</PRE><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Maybe:&nbsp;</P><PRE>LINE_BREAKER = \\n([\r\n]+)</PRE><P>Does it right?&nbsp;</P> Thu, 12 May 2022 05:06:09 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/597508#M208023 lnn2204 2022-05-12T05:06:09Z https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/597520#M208028 Please create a new unsolved question, then you will get much easier a solution to it. Thu, 12 May 2022 06:41:47 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-break-multiline-event-into-separate-events/m-p/597520#M208028 isoutamo 2022-05-12T06:41:47Z