Getting Data In

Event_breaker vs Line_breaker ?

daniel333
Builder

All,

Is there any reason my event_breaker stanza for my UF should be different from LINE_breaker line on my indexers ? Seems to be they'd be identical.

Example of my log4j props.conf stanza -

  LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[
  EVENT_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[

thanks
-Daniel

1 Solution

harsmarvania57
Ultra Champion

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

View solution in original post

daniel333
Builder

Thanks for the extra details there. Awesome!

0 Karma

FrankVl
Ultra Champion

They should be identical, why are you asking, is it not working as expected?

0 Karma

harsmarvania57
Ultra Champion

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

jatin_patel
Path Finder

if you are using EVENT_BREAKER on UF why do you even need LINE_BREAKER on indexers would not defeat the purpose of putting EVENT_BREAKER on UF as indexer would again run same regex on data that is already regexed by UF?

0 Karma

dwallen41
Engager

EVENT_BREAKER is so the forwarder knows where to stop sending data for load balancing purposes. The data is unchanged when it gets to the indexers so the indexers still need the LINE_BREAKER to break the raw data into the actual events.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...