Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

LINE_BREAKER not working with most basic settings

Cuyose
Builder
‎01-16-2019 09:50 AM

I have a json blob, lets ignore the fact it is json for now. I simply want to force Splunk to break a single blob on a word.

Where the string {"agent" exists multiple times, these are the the only settings I have set in props for the sourcetype.

SHOULD_LINEMERGE = false
LINE_BREAKER = {"agent

This should break, but it is not. Why is Splunk refusing to break this event? Again, I know this is json, but I want to understand LINE_BREAKER, as I have read about 3 novels on its use, and it repeatedly fails when implemented.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2019 10:17 AM

The LINE_BREAKER attribute must contain a capture group. Be warned the contents of the capture group will be discarded so choose it carefully. It's perfectly legitimate to have an empty capture group as in LINE_BREAKER = (){"agent.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-16-2019 10:18 AM

The LINE_BREAKER will not function unless you give it a capture group (there is probably an error in your error log if you search for it with something like index=_* sourcetype=splunkd LINE_BREAKER capture). Everything in the capture group will be discarded. The capture group may be empty, but it MUST exist. Try this:

SHOULD_LINEMERGE = false
LINE_BREAKER = {"agent()
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎01-16-2019 10:47 AM

Thanks, I was making it more complicated in my head.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2019 10:17 AM

The LINE_BREAKER attribute must contain a capture group. Be warned the contents of the capture group will be discarded so choose it carefully. It's perfectly legitimate to have an empty capture group as in LINE_BREAKER = (){"agent.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-16-2019 11:23 AM

Missed it by >that< much.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...