Splunk incorrect default line breaking- What am I ...

phamxuantung · ‎03-02-2023

Hello, I have a sourcetype that have a default LINE_BREAKING and SHOULD_LINEMERGE=false, like so:

Per my understanding, this mean it automatically extract each line as one event. But the indexed data is like this:

The red event is correct with linecount=1, but most of the events have linecount=2, some have event more without line breaking. So what should I fix?

gcusello · ‎03-02-2023

Hi @phamxuantung,

where did you located this props.conf?

it must be located on Indexers and (if present) on intermediate Heavy Forwarders, not on Universal Forwarders.

Ciao.

Giuseppe

phamxuantung · ‎03-03-2023

I setup for sourcetype in props.conf in my indexer with

LINE_BREAKER = ([\r\n]+)

SHOULD_LINEMERGE = false

But it still indexed with incorrect line break

phamxuantung · ‎03-03-2023

This props.conf is in my /splunk/etc/apps/search/local and made in my search head (Setting -> Source types -> New Source type). We have a structure of 1 Master (and where we manage deployment apps) 1 search head and 4 indexer cluster. In most case, we create source type directly in our Search head. So you're telling me I should have setup props.conf in my indexer cluster for it to work correctly?

LRF · ‎03-03-2023

hi @phamxuantung LINE_BREAKER is applied during the Parsing Pipeline, so the instance with the LINE_BREAKER and SHOULD_LINEMERGE = false (merging pipeline) must be set on HF/Indexer level.

LINE_BREAKER on Search Heads would work if that Search Heads are directly indexing events (i.e. in Splunk all-in-one architectures), hence parsing events themself.

Hope this helps,

Fabrizio

Splunk incorrect default line breaking- What am I doing wrong?

data

props.conf

sourcetype

universal forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life