Getting Data In

line-break issues in events

Contributor

I'm having issues with line break for some reason. I'm looking to break into individual line events. I've included the following in the specific apps props.conf. Any suggestions?

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

raw data
y8200|ACH-NEW-R|05/16/2017|7|1|5|881.24|3|50.24|INC_ACH-NEW-R3-0516.PBS|05/16/2017|2|397|
y8200|ACH-NEW-R|05/16/2017|8|1|0|0.00|1|412.00|INC_ACH-NEW-R4-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|1|1|27332|19348046.77|11142|10812534.28|INC_ACH-R1-0516.PBS|05/16/2017|5|33|
y8200|ACH-R|05/16/2017|2|1|43093|106558388.19|40396|117051987.96|INC_ACH-R2-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|3|1|14949|6935959.69|5846|5575650.96|INC_ACH-R3-0516.PBS|05/16/2017||0|
y8200|ACH-R|05/16/2017|4|1|11145|2342435.86|4304|5653510.66|INC_ACH-R4-0516.PBS|05/16/2017|||

Tags (2)
1 Solution

Builder

Hello,

According to docs what you are doing should work fine, however it doesn't work for me as well.

For sample logs you have provided, the following worked fine:

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)

Regards

View solution in original post

Builder

I gave a try again with LINE_BREAKER = ([\r\n]+) and It worked fine on version 6.5.3

0 Karma

Builder

Hello,

According to docs what you are doing should work fine, however it doesn't work for me as well.

For sample logs you have provided, the following worked fine:

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)

Regards

View solution in original post

Path Finder

working fine, But how.? could you please explain.?

Thanks in advance

0 Karma

Explorer

Hi ,
1- Where is props.conf stored & let me know this change will impact all logs or specific log .
2- Can I enforce splunk to monitor log line by line using input.conf

0 Karma

Explorer

props.conf file location : $SPLUNK_HOME/etc/system/local
Inside the directory you find props.conf,in case if you don't have create new one with props.conf name.
Place that code inside file after restart the splunkd service.

0 Karma

Builder

Hello,
$ matches the end of the line, it is working the same like ^ with start of the line
Regards

0 Karma

Esteemed Legend

You need to:

  • Make sure that the sourcetype in the stanza header matches EXACTLY the sourcetype of your data.
  • Deploy this to each of your indexers
  • Restart splunk on each indexer
  • Test by searching ONLY against data indexed AFTER the deploy/restart (old data will stay broken)
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!