Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure props.conf using BREAK_ONLY_BEFORE?

dturner83
Path Finder
‎06-30-2014 12:18 PM

I have the following data as a text file. Each event should run from the Date field until the next date field.

I'm using a universal forwarder to send this data to a heavy forwarder and then on to the indexer. The events either all break or none break depending if I have anything or nothing in the props.conf on the heavy forwarder but I never get event breaking before Date.

Can someone help out here? It appears I need some help with the BREAK_ONLY_BEFORE option.

The following are my props.conf files for the heavy forwarder and indexer/search head.

[sampleoutput]
# your settings
BREAK_ONLY_BEFORE=^\s*Date                                           
NO_BINARY_CHECK=1
SHOULD_LINEMERGE = TRUE

Each item below is on a new line, but should be in the same event, until the Date field shows up again.

Date = 6/24/2014
Ad = item add #1
Description line 1 = Something Good
Description line 2 = Somethinggood2.
Display URL = example.com/somethinggood
Destination URL = http=//example.com
Campaign = Campaign1
Campaign type = Search Only
Campaign subtype = All features
Ad group = addgroup1
Status = disapproved
Clicks = 0
Impressions = 0
CTR = 0.00%
Avg. CPC = 0
Cost = 0
Avg. position = 0
Converted clicks = 0
Cost / converted click = 0
Click conversion rate = 0.00%

Date = 6/24/2014
Ad = item add #2
Description line 1 = Something good
Description line 2 = Something good 2
Display URL = example.com/somethingood
Destination URL = http=//example.com
Campaign = campaign2
Campaign type = Search Only
Campaign subtype = All features
Ad group = addgroup2
Status = disapproved
Clicks = 0
Impressions = 0
CTR = 0.00%
Avg. CPC = 0
Cost = 0
Avg. position = 0
Converted clicks = 0
Cost / converted click = 0
Click conversion rate = 0.00%

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-30-2014 04:04 PM

This is a slightly different approach, but you should be able to use this:

LINE_BREAKER = ([\r\n]+)\s*Date
SHOULD_LINEMERGE = false

Should be much faster as well 😄

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-02-2014 11:44 AM

Yeah, any indextime change to configuration files requires a restart, no matter if it's a HF or Indexer.

0 Karma
Reply

dturner83
Path Finder
‎07-02-2014 11:41 AM

This took care of it. I put this in the props.conf on the heavy forwarder and it didn't change, but then I restarted splunk on the heavy forwarder and it worked like a champ. That now makes me wonder if my other changes would have worked too but I'll take your faster approach 🙂

0 Karma
Reply

dturner83
Path Finder
‎06-30-2014 01:35 PM

Yes the sourcetype matches, the regex for ^\s*Date is something I've tried as well as ^Date and Date itself.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-30-2014 01:29 PM

does the sourcetype match and does this regex match? you're using a regex that will match 0 or none spaces at the beginning of the string followed by Date. Did you try to use only BREAK_ONLY_BEFORE=Date ?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...