Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does EVENT_BREAKER configuration need to be added on a Splunk UF collecting logs via WinEventLog://ForwardedEvents inputs ?

murikadan
Path Finder
‎01-04-2018 07:37 AM

Hello Splunkers,

Will EVENT_BREAKER configuration be a good idea to reduce indexer stickiness for a Splunk UF collecting windows logs via windows event forwarding or will it be handled natively by splunk as WinEventLog://ForwardedEvents is a splunk managed mechanism much like the WinEventLog://Security ?

[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
index = my_windows_index

0 Karma
Reply

anmolpatel
Builder
‎03-01-2020 06:26 PM

Yes, it is good idea to reduce indexer stickiness and get a better spread for the data across the indexers
These are the key/pair to include for all source types as best practice:

- SHOULD_LINEMERGE = < boolean >
- LINE_BREAKER = < regex >
- TRUNCATE = 99999 
- TIME_PREFIX =  < regex > 
- TIME_FORMAT = < strp-style format >
- MAX_TIMESTAMP_LOOKAHEAD = < integer >
- EVENT_BREAKER_ENABLE = < boolean >
- EVENT_BREAK = < regex >
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top