https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567839#M197900 <P>Thanks. I have tried that still I am not getting as single event</P> Tue, 21 Sep 2021 13:41:25 GMT mm12 2021-09-21T13:41:25Z https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567793#M197887 <P>I have a log file below format and props.conf wriiten below. I am getting first four lines as one event and the remaining lines as separate events. But I want as single event . Can anyone help me on this.</P><P>&nbsp;</P><P>********************************************************************************<BR />product = WebSphere Application Server 20.0.0.3 (wlp-1.0.38.cl200320200305-1433)<BR />wlp.install.dir = /opt/IBM/wlp/<BR />java.home = /opt/IBM/sdk/jre<BR />java.version = 1.8.0_241<BR />java.runtime = Java(TM) SE Runtime Environment (8.0.6.7 - pxa6480sr6fp7-20200312_01(SR6 FP7))<BR />os = Linux (3.10.0-1160.11.1.el7.x86_64; amd64) (en_GB)<BR />process = 29193@128.161.210.72<BR />********************************************************************************<BR />[17/09/21 16:40:27:860 BST] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager I CWWKE0002I: The kernel started after 3.119 seconds<BR />[17/09/21 16:40:28:003 BST] 0000003b com.ibm.ws.kernel.feature.internal.FeatureManager I CWWKF0007I: Feature update started.<BR />[17/09/21 16:40:28:809 BST] 0000003b com.ibm.ws.config.xml.internal.ConfigEvaluator W CWWKG0033W: The value [localHostOnly] specified for the reference attribute [allowFromEndpointRef] was not found in the configuration.<BR />[17/09/21 16:40:29:051 BST] 00000030 com.ibm.ws.security.ready.internal.SecurityReadyServiceImpl I CWWKS0007I: The security service is starting...<BR />[17/09/21 16:40:29:524 BST] 00000032 com.ibm.ws.annocache.service I OSGi Work Path [ /opt/IBM/wlp/usr/servers/e2/workarea/org.eclipse.osgi/43/data ]<BR />[17/09/21 16:40:31:924 BST] 00000031 com.ibm.ws.app.manager.internal.monitor.DropinMonitor A CWWKZ0058I: Monitoring dropins for applications.<BR />[17/09/21 16:40:33:586 BST] 00000031 com.ibm.ws.cache.ServerCache I DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successful</P><P>props.conf<BR />LINE_BREAKER = ([\r\n]+)<BR />SHOULD_LINEMERGE = true<BR />BREAK_ONLY_BEFORE_DATE = true<BR />BREAK_ONLY_BEFORE = (.\d{7}.\d\d:\d\d:\d\d.\d\d)<BR />MAX_TIMESTAMP_LOOKAHEAD = 18<BR />DATETIME_CONFIG =<BR />TIME_FORMAT = %d/%m/%y %H:%M:%S:%3N %z<BR />TZ = BST<BR />TIME_PREFIX = "^<BR />TRUNCATE = 0</P><P>&nbsp;</P> Tue, 21 Sep 2021 08:03:34 GMT https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567793#M197887 mm12 2021-09-21T08:03:34Z https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567832#M197895 <P>The BREAK_ONLY_BEFORE_DATE separates events at dates so it should be no surprise that each line is a new event.</P><P>Try these settings to get the whole set into a single event.</P><LI-CODE lang="markup">LINE_BREAKER = ([\r\n]+)product = SHOULD_LINEMERGE = true MAX_TIMESTAMP_LOOKAHEAD = 18 TIME_FORMAT = %d/%m/%y %H:%M:%S:%3N %Z TIME_PREFIX = ^\[ TRUNCATE = 0</LI-CODE> Tue, 21 Sep 2021 12:42:14 GMT https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567832#M197895 richgalloway 2021-09-21T12:42:14Z https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567839#M197900 <P>Thanks. I have tried that still I am not getting as single event</P> Tue, 21 Sep 2021 13:41:25 GMT https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567839#M197900 mm12 2021-09-21T13:41:25Z https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567845#M197903 <P>Just noticed SHOULD_LINEMERGE should be "false", though it may not make much difference.</P><P>&nbsp;</P> Tue, 21 Sep 2021 14:13:16 GMT https://community.splunk.com/t5/Splunk-Search/splunk-event-splitting/m-p/567845#M197903 richgalloway 2021-09-21T14:13:16Z