Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Line Break in multiline event doesn't work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello fellow splunkers!
atm I'm trying to break up a huge multiline event that is merged together with &&&. When I try to explicitly tell Splunk to BREAK_ONLY_AFTER = &&& it doesn't work. I also tried BREAK_ONLY_BEFORE = \d+.\d+.\d+.\d+\s-\s- and BREAK_ONLY_AFTER = \d{3}&&&
it seems that nothing I try works. please help
here is the source log:
141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-20&product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found a solution already as provided here:
Unable-to-break-Multi-line-event-into-single-event
When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this:
LINE_BREAKER = (\d{3}&&&)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found a solution already as provided here:
Unable-to-break-Multi-line-event-into-single-event
When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this:
LINE_BREAKER = (\d{3}&&&)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't work because there is no setting called BREAK_ONLY_AFTER. There is BREAK_ONLY_BEFORE and MUST_BREAK_AFTER, however. It's more efficient, however, to use LINE_BREAKER. Try these props.conf settings.
[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (&&&)
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y %H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 23
TRUNCATE = 10000If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @richgalloway ,
thanks for your answer, that's exactly what I just figured out 🙂 thanks for your fast reply tho! if I wouldn't have tried this a minute ago this would've been my life saver.
and you're right - I missread props.conf.spec . What could be used is BREAK_ONLY_BEFORE or MUST_BREAK_AFTER
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
