Our syslog data in Splunk is showing up with at least 1% of the results with incorrect line breaking.
We have tried to update many settings in props.conf (in the master-apps directory) below:
We are using a Universal Forwarder.
should_linemerge = true
break_only_before_date = true
should_linemerge = false
line_breaker = (\n+)
should_linemerge = true
line_breaker_lookbehind = 300
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
None of our updated settings worked. Any suggestions are welcome.
Syslog data should be one line per event. Also, entries in props.conf
are case-sensitive!Therefore, your settings can be:
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
Thanks for the suggestion. Unfortunately, I'm still getting line break issues where I do have some lines that are listed as separate events, but should be part of the previous event and do not have a timestamp. Any other suggestions?
So your syslog data is not 1 line per event. Try this in props.conf.
Also, make sure that your settings are not being overridden by settings in other props.conf files (like SPLUNK_HOME/etc/system/local)
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 25
Are you sure that your timestamp format is correct? I also bumped up the lookahead for the timestamp a little bit. Again, check spelling carefully and remember that almost everything in IS case-sensitive.