https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705682#M238887 <P>Hi,&nbsp;</P><P>I have a log file on the server which I ingested in splunk through input app where I defined the index , sourcetype and monitor statement in inputs.conf. Log file on the server looks like below:</P><P>xyz<BR />asdfoasdf<BR />asfanfafd<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<BR />sdfsdfja<BR />agf[oija[gfojerg<BR />fgoaierr<BR />apodsifa[soigaiga[oiga[dogj<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<BR />sadfnasd;fiasfdoiasndf'i<BR />dfdf<BR />fd<BR />garehaehseht<BR />shse<BR />thse<BR />tjst<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<BR />asdf;nafdsknasdf<BR />asdfknasdfln<BR />asdf;nasdkfnasf<BR />asogja'fja<BR />foj'apogj<BR />aogj<BR />agf</P><P>&nbsp;</P><P>When I try searching the log file in splunk, Logs are visible howerver events are not breaking as I expect it to come. I want events to be separated as below</P><P>&nbsp;</P><P>Event 1:</P><P>xyz<BR />asdfoasdf<BR />asfanfafd<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>Event 2:</P><P>sdfsdfja<BR />agf[oija[gfojerg<BR />fgoaierr<BR />apodsifa[soigaiga[oiga[dogj</P><P>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>&nbsp;</P><P>Event 3:</P><P><BR />sadfnasd;fiasfdoiasndf'i<BR />dfdf<BR />fd<BR />garehaehseht<BR />shse<BR />thse<BR />tjst</P><P>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>Event 4:</P><P>asdf;nafdsknasdf<BR />asdfknasdfln<BR />asdf;nasdkfnasf<BR />asogja'fja<BR />foj'apogj<BR />aogj<BR />agf</P><P>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>&nbsp;</P> Mon, 02 Dec 2024 13:04:46 GMT Sailesh6891 2024-12-02T13:04:46Z https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705682#M238887 <P>Hi,&nbsp;</P><P>I have a log file on the server which I ingested in splunk through input app where I defined the index , sourcetype and monitor statement in inputs.conf. Log file on the server looks like below:</P><P>xyz<BR />asdfoasdf<BR />asfanfafd<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<BR />sdfsdfja<BR />agf[oija[gfojerg<BR />fgoaierr<BR />apodsifa[soigaiga[oiga[dogj<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<BR />sadfnasd;fiasfdoiasndf'i<BR />dfdf<BR />fd<BR />garehaehseht<BR />shse<BR />thse<BR />tjst<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::<BR />asdf;nafdsknasdf<BR />asdfknasdfln<BR />asdf;nasdkfnasf<BR />asogja'fja<BR />foj'apogj<BR />aogj<BR />agf</P><P>&nbsp;</P><P>When I try searching the log file in splunk, Logs are visible howerver events are not breaking as I expect it to come. I want events to be separated as below</P><P>&nbsp;</P><P>Event 1:</P><P>xyz<BR />asdfoasdf<BR />asfanfafd<BR />:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>Event 2:</P><P>sdfsdfja<BR />agf[oija[gfojerg<BR />fgoaierr<BR />apodsifa[soigaiga[oiga[dogj</P><P>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>&nbsp;</P><P>Event 3:</P><P><BR />sadfnasd;fiasfdoiasndf'i<BR />dfdf<BR />fd<BR />garehaehseht<BR />shse<BR />thse<BR />tjst</P><P>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>Event 4:</P><P>asdf;nafdsknasdf<BR />asdfknasdfln<BR />asdf;nasdkfnasf<BR />asogja'fja<BR />foj'apogj<BR />aogj<BR />agf</P><P>:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</P><P>&nbsp;</P> Mon, 02 Dec 2024 13:04:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705682#M238887 Sailesh6891 2024-12-02T13:04:46Z https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705683#M238888 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/274436">@Sailesh6891</a>&nbsp;,</P><P>did you tried to use LINE_BREKING option in props.conf?</P><LI-CODE lang="markup">[your-sourcetype] LINE_BREAKING = :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 02 Dec 2024 13:41:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705683#M238888 gcusello 2024-12-02T13:41:19Z https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705684#M238889 <P>No, I have not used LINE_BREAKING option.&nbsp;</P><P>Do I need to create a props.conf under splunk_home$/etc/apps/local/&nbsp;</P><P>and mention these 2 lines ?i.e [sourcetype] and LINE_BREAKING = &nbsp;:::::::::::::::::::</P> Mon, 02 Dec 2024 13:50:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705684#M238889 Sailesh6891 2024-12-02T13:50:16Z https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705685#M238890 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/274436">@Sailesh6891</a>&nbsp;,</P><P>it's a best practive to create a custom add-on containing all the parsing rules for your data, also because I suppose that there are other parsing rules that you need to add.</P><P>but anyway you can also put this two lines in another props.conf.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 02 Dec 2024 14:01:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-line-break-raw-events/m-p/705685#M238890 gcusello 2024-12-02T14:01:07Z