How to stop Splunk from breaking lines at Xml Fiel...

john · ‎04-29-2012

Hi,

6 Jun 17:09:07..................

<..../>
<....../>
<....../>
abcd
hjkkk
jjjjk

This is the content of a file iam working with.Splunk breaks events at each line i have given above.Iam getting Output like this ,as 8 events.
1 6 Jun 17:09:07..................

2

3 <..../>

4 <....../>

5 <....../>

6 abcd

7 hjkkk

8 jjjjk

I want to break lines only on date ie(only one event).I have tried following configarations in props.config but its not working

NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE =false
BREAK_ONLY_BEFORE=^6 Jun

[source::.........]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE = true
MUST_NOT_BREAK_BEFORE =^<

Please help

lguinn2 · ‎04-29-2012

I would suggest

[source::yoursourcepathhere]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE = true
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 20

You might also want to check here in the manuals

Configure Timestamp Recognition

Configure Event Linebreaking

Note that bad line-breaking is often related to bad timestamps.

john · ‎04-30-2012

Thanks Iguinn.

How to stop Splunk from breaking lines at Xml Fields

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

How to stop Splunk from breaking lines at Xml Fields

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)