Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:02 AM

How to apply props.conf EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...