Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is the regex for line break in an HF/Indexer the same as the Event_Breaker in a universal forwarder?

akshatj2
Path Finder
‎10-29-2018 12:21 PM

Hi All,

Could you please help me understand if the regex for line break in HF/Indexer is the same as the Event_Breaker in a universal forwarder? Also, if Event_Breaker is defined, is it still recommended to give Line Break in heavy forwarder or Indexer?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-29-2018 02:52 PM

Yes to both questions, EVENT_BREAKER requires the EVENT_BREAKER_ENABLE flag, it helps the universal forwarder know when it can change to a new server listed in outputs.conf when the autoLBFrequency or autoLBVolume is reached, without this setting the forwarder will wait for the file that is monitored to stop updating for a period of time before making the switch to a different backend server in the outputs.conf list.

The above setting makes no difference to the indexer/heavy forwarding tier which is parsing the data (except in a few edge cases on the UF).

Therefore you want both, the LINE_BREAKER is still required if you have SHOULD_LINEMERGE=false and you want a multi-line event.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...