@gjanders Thanks a lot. In terms of my testing, the LINE_BREAKER setting was applied by Indexer's default props.conf. So you are right. Line breaking has done by only indexer or heavy forwarder.
BTW, in the case of EVENT_BREAKER setting on universal forwarder, it is only related to LB. I mean.. with EVENT_BREAKER setting, line breaking is not possible on forwarder. It have LB to determine if where is the event boundary. Even though EVENT_BREAKER is enabled on universal forwarder, LINE_BREAKER on Indexer would be applied. Is my understanding correct?
I would greatly appreciated if you answer again. Thank you!
@brandy81that is correct, EVENT_BREAKER is related to line breaking.
There are details somewhere but without event breaker, if you have a rapidly updating file with a monitor:// stanza, Splunk cannot switch to a new backend server as it is unsure where the end of the event is.
Therefore it waits until the data stops for a few seconds and then switches (this can result in a file going to 1 indexer/backend server)
EVENT_BREAKER makes it clear when the event is over and when it can safely switch to another indexer/backend server...