Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:02 AM

How to apply props.conf EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-24-2022 07:09 AM

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...