Getting Data In

Does EVENT_BREAKER configuration need to be added on a Splunk UF collecting logs via WinEventLog://ForwardedEvents inputs ?

Path Finder

Hello Splunkers,

Will EVENT_BREAKER configuration be a good idea to reduce indexer stickiness for a Splunk UF collecting windows logs via windows event forwarding or will it be handled natively by splunk as WinEventLog://ForwardedEvents is a splunk managed mechanism much like the WinEventLog://Security ?

index = my_windows_index

0 Karma


Yes, it is good idea to reduce indexer stickiness and get a better spread for the data across the indexers
These are the key/pair to include for all source types as best practice:

- SHOULD_LINEMERGE = < boolean >
- LINE_BREAKER = < regex >
- TRUNCATE = 99999 
- TIME_PREFIX =  < regex > 
- TIME_FORMAT = < strp-style format >
- EVENT_BREAKER_ENABLE = < boolean >
- EVENT_BREAK = < regex >
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...