Getting Data In

Event_breaker vs Line_breaker ?

daniel333
Builder

All,

Is there any reason my event_breaker stanza for my UF should be different from LINE_breaker line on my indexers ? Seems to be they'd be identical.

Example of my log4j props.conf stanza -

  LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[
  EVENT_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[

thanks
-Daniel

1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

View solution in original post

daniel333
Builder

Thanks for the extra details there. Awesome!

0 Karma

FrankVl
Ultra Champion

They should be identical, why are you asking, is it not working as expected?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

jatin_patel
Path Finder

if you are using EVENT_BREAKER on UF why do you even need LINE_BREAKER on indexers would not defeat the purpose of putting EVENT_BREAKER on UF as indexer would again run same regex on data that is already regexed by UF?

0 Karma

dwallen41
Engager

EVENT_BREAKER is so the forwarder knows where to stop sending data for load balancing purposes. The data is unchanged when it gets to the indexers so the indexers still need the LINE_BREAKER to break the raw data into the actual events.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...