Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:02 AM

How to apply props.conf EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...