Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

event cannot break line

thangs4
Engager
‎06-02-2024 09:44 PM

Hi everyone, I have a problem with the line-break in Splunk. I have tried following the methods as in other posts. 
Here is my props.conf
[test1:sec]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=AUTO
disabled=false
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%9QZ
TIME_PREFIX=<TimeCreated SystemTime='

when I applied this sourcetype in raw windows, it work. but after I finished, it was one event2024-06-03_113906.png


raw windows

thangs4_0-1717389331887.png
#line-break

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-04-2024 12:58 AM

Where did you put your props.conf? (on which component)

And what does your ingest process look like? Because that's apparently not data from a windows eventlog input.

0 Karma
Reply

KendallW
Contributor
‎06-02-2024 10:08 PM

Hi @thangs4 ,

From your second screenshot it doesn't look like the events are being parsed correctly. It looks like there wasn't a clean break between the events, and a timestamp wasn't extracted from the first event. 

Try using these settings in props.conf on your indexer/HF to explicitly break events before/after the <Event> and </Event> tags:

KV_MODE=xml
TRUNCATE = 0
SHOULD_LINEMERGE = false
LINE_BREAKER=([\r\n]+)\<Event\sxmlns
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9QZ
TIME_PREFIX=<TimeCreated SystemTime=' 
MUST_BREAK_AFTER = \<\/Event\>
NO_BINARY_CHECK=true
CHARSET=AUTO
disabled=false
Reply

thangs4
Engager
‎06-02-2024 11:57 PM

Thank you for your reply,

First, let me talk a little bit about my setting. I used regex101 to check the line-break in my config. About the timestamp, it matched with all the events.

I just tried your settings, it did not work. of course, props.conf in /system/local and restart Splunk. Any other ideas, sir?

0 Karma
Reply

KendallW
Contributor
‎06-03-2024 06:06 PM

Here's a couple of things to check:
1. Check the settings you have set in props.conf are actually being applied to the sourcetype:

$SPLUNK_HOME/bin/splunk cmd btool props list test1:sec

2. Check in the _internal logs for errors related to parsing for this sourcetype:

index=_internal splunk_server=* source=*splunkd.log* (component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose) (log_level=WARN OR log_level=ERROR) data_sourcetype="test1:sec"

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...