https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568559#M198144 <P>Hi,</P><P>Need help with regex for LINE_<STRONG>BREAKER</STRONG><SPAN>&nbsp;</SPAN>attribute in props.conf.</P><P>I have the below data and wanted it as a single event in Splunk. Currently, &lt;RESULTS&gt; data splits into multiple events.</P><P>I would like to send the entire &lt;DETECTION&gt; tag as a single event. Can someone help me provide the right LINE_BREAKER pattern to be used?</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;DETECTION&gt; &lt;ID&gt;231&lt;/ID&gt; &lt;TYPE&gt;Information&lt;/TYPE&gt; &lt;SEVERITY&gt;1&lt;/SEVERITY&gt; &lt;RESULTS&gt;Line 1 : field 1 : value1 field 2: value2&lt;/RESULTS&gt; &lt;STATUS&gt;NEW&lt;/STATUS&gt; &lt;/DETECTION&gt;</LI-CODE><P>&nbsp;</P> Mon, 27 Sep 2021 14:07:31 GMT mbachhav 2021-09-27T14:07:31Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568559#M198144 <P>Hi,</P><P>Need help with regex for LINE_<STRONG>BREAKER</STRONG><SPAN>&nbsp;</SPAN>attribute in props.conf.</P><P>I have the below data and wanted it as a single event in Splunk. Currently, &lt;RESULTS&gt; data splits into multiple events.</P><P>I would like to send the entire &lt;DETECTION&gt; tag as a single event. Can someone help me provide the right LINE_BREAKER pattern to be used?</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;DETECTION&gt; &lt;ID&gt;231&lt;/ID&gt; &lt;TYPE&gt;Information&lt;/TYPE&gt; &lt;SEVERITY&gt;1&lt;/SEVERITY&gt; &lt;RESULTS&gt;Line 1 : field 1 : value1 field 2: value2&lt;/RESULTS&gt; &lt;STATUS&gt;NEW&lt;/STATUS&gt; &lt;/DETECTION&gt;</LI-CODE><P>&nbsp;</P> Mon, 27 Sep 2021 14:07:31 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568559#M198144 mbachhav 2021-09-27T14:07:31Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568566#M198149 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/69461">@mbachhav</a>&nbsp;</P><P>try this props</P><LI-CODE lang="markup">[&lt;your sourcetype&gt;] SHOULD_LINEMERGE=true NO_BINARY_CHECK=true BREAK_ONLY_BEFORE=\&lt;DETECTION\&gt;</LI-CODE> Mon, 27 Sep 2021 14:57:30 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568566#M198149 aasabatini 2021-09-27T14:57:30Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568568#M198151 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222210">@aasabatini</a>,</P><P>I tried the suggested option but it's not working as expected. Data is split into multiple events.&nbsp;</P><P>&nbsp;</P> Mon, 27 Sep 2021 15:27:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568568#M198151 mbachhav 2021-09-27T15:27:08Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568570#M198152 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/69461">@mbachhav</a>&nbsp;</P><P>can you show youe props.conf?</P><P>Regards</P><P>Alessandro</P> Mon, 27 Sep 2021 15:34:17 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568570#M198152 aasabatini 2021-09-27T15:34:17Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568571#M198153 <P>&nbsp;</P><P>Below is my props.conf file -&nbsp;</P><P>[stanza]<BR />TIMESTAMP_FIELDS=dateTime<BR />LINE_BREAKER =\&lt;DETECTION\&gt;<BR />SHOULD_LINEMERGE=true<BR />NO_BINARY_CHECK=true<BR />TZ=UTC<BR />CHARSET=UTF-8<BR />KV_MODE=xml<BR />MAX_EVENTS=50000<BR />TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ</P> Mon, 27 Sep 2021 15:37:01 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568571#M198153 mbachhav 2021-09-27T15:37:01Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568572#M198154 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/69461">@mbachhav</a>&nbsp;</P><P>&nbsp;</P><P>please can you remove the line_breaker and add this option as told you&nbsp;</P><PRE>BREAK_ONLY_BEFORE=\&lt;DETECTION\&gt;</PRE><P>&nbsp;</P><P>let me know if works</P> Mon, 27 Sep 2021 15:39:55 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568572#M198154 aasabatini 2021-09-27T15:39:55Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568575#M198156 <P>Apologies. First I tried with&nbsp;BREAK_ONLY_BEFORE=\&lt;DETECTION\&gt; but it didn't work hence I tried&nbsp;&nbsp;<SPAN>line_breaker.&nbsp;</SPAN></P> Mon, 27 Sep 2021 15:43:55 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/568575#M198156 mbachhav 2021-09-27T15:43:55Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/569645#M198544 <P>Problem has been solved with below stanza -&nbsp;</P><P>[stanza name]</P><P>TIMESTAMP_FIELDS=dateTime<BR /><STRONG>LINE_BREAKER=(\&lt;DETECTION\s)</STRONG><BR /><STRONG>SHOULD_LINEMERGE=true</STRONG><BR /><STRONG>NO_BINARY_CHECK=true</STRONG><BR />TZ=UTC<BR />CHARSET=UTF-8<BR />KV_MODE=xml<BR />MAX_EVENTS=50000<BR />TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ</P> Tue, 05 Oct 2021 07:30:16 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-a-regex-for-line-breaker-in-props-conf/m-p/569645#M198544 mbachhav 2021-10-05T07:30:16Z