Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:02 AM

How to apply props.conf EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...