Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

event line break in props

narenpg
Explorer
‎11-21-2024 01:31 PM 
---------------------------- This is an Example (He/She) -----------------------------
Version:		21.04.812-174001 
Date/time:		2024-10-18/01:00:06 (2024-10-18/05:00:06 UTC)
User/aplnid:		/2370
ComputerName/-user:	Ann/King
Windows NT version 6.2, build no. 9200 /10872/6241785241
-> Loading program
----------------------------------------------------------------------------------------------------

---------------------------- This is an Example (He/She) -----------------------------
Version:		21.04.812-174001 
Date/time:		2024-10-18/01:00:06 (2024-10-18/05:00:06 UTC)
User/aplnid:		/2370
ComputerName/-user:	James/Bond
Windows NT version 6.2, build no. 9200 /10872/6241785241
-> Start APL (pid 8484)
----------------------------------------------------------------------------------------------------

---------------------------- This is an Example (He/She) -----------------------------
Version:		21.04.812-174001 
Date/time:		2024-10-18/01:00:06 (2024-10-18/05:00:06 UTC)
User/aplnid:		/2370
ComputerName/-user:	Martin/King
Windows NT version 6.2, build no. 9200 /10872/6241785241
-> Initialising external processes
----------------------------------------------------------------------------------------------------

I am trying to break events at "This is an Example" 

[mysourcetype]
TIME_FORMAT = %Y-%m-%d/%H:%M:%S
TIME_PREFIX = Date\/time:\s+
TZ = US/Eastern
LINE_BREAKER = (.*)(This is An Example).*
SHOULD_LINEMERGE = false

This works when i test in "Add Data" but it is not working under props.conf. All the lines are merged into one event. What is the issue in this?

Labels (2)
0 Karma
Reply

narenpg
Explorer
‎11-21-2024 02:33 PM

1. It truncates hyphen - before the "This is an Example" now i added ([\r\n+])(.*)(This is an Example).* it captures everthing. But the events are broken into single lines. I have set SHOULD_LINE_MERGE = false. 

2. Yes props.conf is on the proper component

3.  i verified using this command

      splunk btool inputs list --debug  (there is no other setting that is overwriting LINE_BREAKER)

NOTE:  can i use BREAK_ONLY_BEFORE instead of LINE_BREAKER

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2024 01:48 AM

1. OK. It's just that I'd probably just cut the whole "This is an example" line if it's just a constant delimiter between the events.

2. Where? And what does your ingestion process look like?

3. LINE_BREAKER is not defined at input level. It's defined in props but I'm assuming you meant "splunk btool props list", not inputs. If not, check props, not inputs.

BREAK_ONLY_BEFORE is a setting used only when SHOULD_LINEMERGE is set to true and that case is best avoided (there are very very rare cases where it makes sense; if possible, avoid enabling line-merging)

0 Karma
Reply

narenpg
Explorer
‎11-22-2024 07:03 AM

1. Yes This is the constant delimiter ---------------------------- This is an Example (He/She) -----------------------------

2. It picks up every 7th line and skips others. I think that is because i used \n+ right?
3. I should have used "splunk btool props list" instead of inputs.. I ran the command and i see only one LINE_BREAKER for that sourcetype.

Thanks for the info on BREAK_ONLY_BEFORE

What is the Regex i should use it on the LINE_BREAKER?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-21-2024 01:50 PM

1. Are you sure the LINE_BREAKER is right? I mean - the capture group in the LINE_BREAKER will be treated as the line breaker and will be removed from the stream. Are you sure you want to cut this much? Not more, not less? Also you usually include \r and/or \n explicitly in your line breaker definition. Otherwise the results might not be what you expect.

2. Are you sure you're putting your props.conf on the proper component in your environment?

3. Did you verify with btool that there is no other setting overwriting your line breaker?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...