Getting Data In

line-break issues in events

fisuser1
Contributor

I'm having issues with line break for some reason. I'm looking to break into individual line events. I've included the following in the specific apps props.conf. Any suggestions?

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

raw data
y8200|ACH-NEW-R|05/16/2017|7|1|5|881.24|3|50.24|INC_ACH-NEW-R3-0516.PBS|05/16/2017|2|397|
y8200|ACH-NEW-R|05/16/2017|8|1|0|0.00|1|412.00|INC_ACH-NEW-R4-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|1|1|27332|19348046.77|11142|10812534.28|INC_ACH-R1-0516.PBS|05/16/2017|5|33|
y8200|ACH-R|05/16/2017|2|1|43093|106558388.19|40396|117051987.96|INC_ACH-R2-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|3|1|14949|6935959.69|5846|5575650.96|INC_ACH-R3-0516.PBS|05/16/2017||0|
y8200|ACH-R|05/16/2017|4|1|11145|2342435.86|4304|5653510.66|INC_ACH-R4-0516.PBS|05/16/2017|||

Tags (2)
1 Solution

aakwah
Builder

Hello,

According to docs what you are doing should work fine, however it doesn't work for me as well.

For sample logs you have provided, the following worked fine:

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)

Regards

View solution in original post

aakwah
Builder

I gave a try again with LINE_BREAKER = ([\r\n]+) and It worked fine on version 6.5.3

0 Karma

aakwah
Builder

Hello,

According to docs what you are doing should work fine, however it doesn't work for me as well.

For sample logs you have provided, the following worked fine:

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)

Regards

gvnd
Path Finder

working fine, But how.? could you please explain.?

Thanks in advance

0 Karma

khalidewaidah
Explorer

Hi ,
1- Where is props.conf stored & let me know this change will impact all logs or specific log .
2- Can I enforce splunk to monitor log line by line using input.conf

0 Karma

prathapkcsc
Explorer

props.conf file location : $SPLUNK_HOME/etc/system/local
Inside the directory you find props.conf,in case if you don't have create new one with props.conf name.
Place that code inside file after restart the splunkd service.

0 Karma

aakwah
Builder

Hello,
$ matches the end of the line, it is working the same like ^ with start of the line
Regards

0 Karma

woodcock
Esteemed Legend

You need to:

  • Make sure that the sourcetype in the stanza header matches EXACTLY the sourcetype of your data.
  • Deploy this to each of your indexers
  • Restart splunk on each indexer
  • Test by searching ONLY against data indexed AFTER the deploy/restart (old data will stay broken)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...