Multi line event not breaking

shpot · ‎09-04-2019

Hello Splunk community! I have a monitored input file. A process writes a header to a continuous log file and about a minute or so later results are appended to the log. Because the lag between the header and the results is so great, Splunk is seeing this as two separate events, where in fact it should be one multi-line event (header & results). I've tried all sorts of line breaking options in props.conf but nothing seems to work. Does anyone out there have any suggestions? I can recreate it with a simple test script with a sleep, running through a while loop.

echo "date "+%F %T" This is the header" >> $OUT
sleep 30
echo "Slept for 30 seconds" >> $OUT
echo "DONE" >> $OUT

SHOULD_LINEMERGE=true
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=25
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S
BREAK_ONLY_BEFORE_DATE=true
NO_BINARY_CHECK=true

nareshinsvu · ‎09-04-2019

Did you try

LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{2}\:\d{2}\:\d{2}

shpot · ‎09-04-2019

Thank you for your reply. It did not work.

Multi line event not breaking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Multi line event not breaking

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform