How to break event logs

rahulmanthena · ‎08-19-2019

In our Splunk enterprise event logs are not breaking.

Two events are coming as one event.

somesoni2 · ‎08-19-2019

It happens when your log data is not able to parsed correctly by Splunk automatically (if you don't have to event breaking rules defined for the sourcetype you're using and your data format is not following default Splunk's rules) OR your log data format is different from the rules you've defined for your custom sourcetype. Check what sourcetype you're using, if you've event breaking defined for that sourcetype and if log data is following that event breaking rule.

Sukisen1981 · ‎08-19-2019

hi @rahulmanthena

well this is a generic question. but there are multiple options available - https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configureeventlinebreaking

If you are struggling with something specific, please post the issue in more detauls

How to break event logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

How to break event logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future