How to stop Splunk from breaking lines at Xml Fiel...

john · ‎04-29-2012

Hi,

6 Jun 17:09:07..................

<..../>
<....../>
<....../>
abcd
hjkkk
jjjjk

This is the content of a file iam working with.Splunk breaks events at each line i have given above.Iam getting Output like this ,as 8 events.
1 6 Jun 17:09:07..................

2

3 <..../>

4 <....../>

5 <....../>

6 abcd

7 hjkkk

8 jjjjk

I want to break lines only on date ie(only one event).I have tried following configarations in props.config but its not working

NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE =false
BREAK_ONLY_BEFORE=^6 Jun

[source::.........]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE = true
MUST_NOT_BREAK_BEFORE =^<

Please help

lguinn2 · ‎04-29-2012

I would suggest

[source::yoursourcepathhere]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE = true
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 20

You might also want to check here in the manuals

Configure Timestamp Recognition

Configure Event Linebreaking

Note that bad line-breaking is often related to bad timestamps.

john · ‎04-30-2012

Thanks Iguinn.

How to stop Splunk from breaking lines at Xml Fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation