Solved: Re: Event_breaker vs Line_breaker ?

daniel333 · ‎06-11-2019

All,

Is there any reason my event_breaker stanza for my UF should be different from LINE_breaker line on my indexers ? Seems to be they'd be identical.

Example of my log4j props.conf stanza -

  LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[
  EVENT_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[

thanks
-Daniel

harsmarvania57 · ‎06-12-2019

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

View solution in original post

daniel333 · ‎06-12-2019

Thanks for the extra details there. Awesome!

FrankVl · ‎06-12-2019

They should be identical, why are you asking, is it not working as expected?

harsmarvania57 · ‎06-12-2019

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

jatin_patel · ‎07-17-2020

if you are using EVENT_BREAKER on UF why do you even need LINE_BREAKER on indexers would not defeat the purpose of putting EVENT_BREAKER on UF as indexer would again run same regex on data that is already regexed by UF?

dwallen41 · ‎02-10-2022

EVENT_BREAKER is so the forwarder knows where to stop sending data for load balancing purposes. The data is unchanged when it gets to the indexers so the indexers still need the LINE_BREAKER to break the raw data into the actual events.

Event_breaker vs Line_breaker ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?