Solved: Re: multi line event, break with a empty line

crazyeva · ‎08-12-2012

Hi
I want to import some mussy data to splunk
every event takes multi lines
with an empty line declaring its end
likes below shows two events:
XXX XXX XXXX
XXX XXX XX

XXX XXXX XX
XXXX XX XXXXX
XX XXX
The empty line seems to be the only basis on which could be depended to break up the event
But when i "preview" this data, empty lines are filtered.

ziegfried · ‎08-13-2012

These props.conf settings should help:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?:\r?\n){2,})

View solution in original post

ziegfried · ‎08-13-2012

These props.conf settings should help:

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?:\r?\n){2,})

crazyeva · ‎08-15-2012

exactly solved

multi line event, break with a empty line

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation