Configure BREAK_ONLY_BEFORE

Azwaliyana · ‎11-01-2021

I just want to configure BREAK_ONLY_BEFORE. When I save the source type, it automatically adds LINE_BREAKER. I do not want the LINE_BREAKER to be there as it will remove the regex that I have specified in BREAK_ONLY_BEFORE. I have done many things.

I want it to be like this.

But when I save it, Splunk automatically add the regex that I have specified for BREAK_ONLY_BEFORE as LINE_BREAKER. And the result is like this. Splunk remove the pg-2

What should I do to keep my regex not being removed by Splunk but I want it to split into another event?

richgalloway · ‎11-02-2021

How are you saving the settings? I've never seen Splunk automatically add LINE_BREAKER before. What version of Splunk are you using?

---
If this reply helps you, Karma would be appreciated.

Azwaliyana · ‎11-09-2021

I click on Save As button that appears here which is for the source type after uploading the file.

Do you have any solutions for this? I use Splunk 8.1.3

Configure BREAK_ONLY_BEFORE

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Configure BREAK_ONLY_BEFORE

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future