Hi

I am facing a challenge with some of the splunk logs being merged as a one event.

I have tried breaking them by updating below in splunk forwarder config but doesnt't work.

can someone suggest what i am missing here

props.conf  in  local

########## APPLICATION SERVERS ######
[default]
SHOULD_LINEMERGE = false

[event_logservice]
SHOULD_LINEMERGE = false
LINE_BREAKER= (\d{4}-\d{2}-\d{2}\s+\d+:\d+:\d+.\d+\s+-\d+\s+Event)
MAX_TIMESTAMP_LOOKAHEAD = 75
TRUNCATE = 0

Additional details : Logs are being written to files by logstash and then forwarder is reading and pushing data

My log file :

2020-08-17 14:49:21.161 -0700 Event log_level="info" build_id="HEAD (d3b8457cc9)" bzdate="20200817" serial_no="KJST45HSS" register="ABC" sessionId="KJST45HSS_20200817_144739196_1" wid="H34-vx-841D6B9C-8158-4975-9AB3-FDB5E9FD80E8" component="Manager" message="adding "
2020-08-17 14:49:21.163 -0700 Event log_level="info" build_id="HEAD (d3b8457cc9)" bzdate="20200817" serial_no="KJST45HSS" register="ABC" sessionId="KJST45HSS_20200817_144739196_1" wid="H34-vx-841D6B9C-8158-4975-9AB3-FDB5E9FD80E8" component="Manager" message="adding completion "

** example above 2 rows and shown merged in splunk.. and it is happending randomly for other log events also.