Archive

Why is "must_break_after" not working?

New Member

I have some events and some of them are getting broken while some of them are not.
I tried everything MUSTBREAKAFTER and LINEBREAKER.
My event shd break after "batch
size: 15"
I have 457 events:

Single event = "apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15 "

but some events are merged like below and giving only one event for 257 events together.

... 2 lines omitted ...
apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15
apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15
apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15

props.conf I used:

[sourcetype]
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = batch_size:\s+\d+ 

Please help me.

0 Karma

Splunk Employee
Splunk Employee

It looks like there's a line break - why not use SHOULD_LINEMERGE = false instead? I

0 Karma