Line breaking

DuXa · ‎05-18-2015

How can I set the start and end of events in the source selection. To output only my event . I use MUST_BREAK_AFTER and Line breaking and BREAK_ONLY_BEFORE.How to use LINE_BREAKER? For example my event start: main: "number of bytes received" and finish: Send msg to queue.

woodcock · ‎05-19-2015

Generally you do 1 of 2 things; either:

1: Modify the linbreaker to consume all variations of your inter-event garbage (including newlines) with:

LINE_BREAKER=MyRegExForInterEventJunk
SOULD_LINEMERGE = false

2: Allow the junk to be part of the end of each event and tell Splunk were to break

BREAK_ONLY_BEFORE=MyRegExForWhereToBreak
SHOULD_LINEMERGE = true

Generally, the latter is preferable.

lguinn2 · ‎05-18-2015

This question is impossible to answer. Please give some examples of your data.

Also, usually you use only one of these settings: MUST_BREAK_AFTER, BREAK_ONLY_BEFORE, and LINE_BREAKER.

You don't use all three of them at once, only the setting that works best for your data.

Line breaking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation

Line breaking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence