Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunkforwarder pushes multiple lines as single event from windows machine logs

mayurkale471757
Explorer
‎11-29-2023 04:37 AM

Hi Team, I came across an issue where I have below sample logs in a file 

15:30:31.396|Info|Response ErrorMessage: ||
15:30:36.610|Info|Logging Rest Client Request...||
15:30:36.610|Info|Request Uri: https://abc-domain/api/xy/Identify||
15:30:36.694|Info|Logging Rest Client Response...||
15:30:36.694|Info|Response Status Code: 401||
15:30:36.710|Info|Response Status Description: Unauthorized||
15:30:36.741|Info|Response Content: ||
15:30:36.741|Info|Response ErrorMessage: ||
15:30:36.762|Info|Logging Rest Client Request...||

I am using splunk forwarder version splunkforwarder-8.2.4-87e2dda940d1-x64-release

with below prop.conf settings

 

[xyz:mnl]
LB_CHUNK_BREAKER = ([\r\n]+)

 

 

On splunk portal I am not getting one line as a one event instead I am getting multiple lines as a single event like below 

 

mayurkale471757_1-1701261344829.png

 

 

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2023 05:38 AM

Hi @mayurkale471757 ,

try to upload a sample of your file using the Add Data GUI feature that guides you in the sourcetype creation.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

mayurkale471757
Explorer
‎12-04-2023 10:10 PM

Thanks Guys, changing the settings at HF solved this issue

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2023 11:28 PM

Hi @mayurkale471757 ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2023 05:38 AM

Hi @mayurkale471757 ,

try to upload a sample of your file using the Add Data GUI feature that guides you in the sourcetype creation.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...