Custom multi-line parsing tip

clyde772 · ‎05-03-2010

I want to chop multiline events like below. I had splunk to automatically process the data, but it didn't quite work where the event started with "Begin_Event".
How can I define custom event separation rule so that the each evens starts after "Begin_Event" tag?

(Begin_Event)

environmentFailureEvent - EAS - KG-079, Cab 1, Pos 1, active ACG, EAS 0 - May 3, 2010 00:02:55. [247] Rectifier Module Fail - Clear
(EndEvent)

(BeginEvent)

processingFailureEvent - IHLR_ALARM_APP - KTIHLR1_B, IHLR_ALARM_APP 1 - May 3, 2010 00:02:49. [17260] Subscriber Not In iDEN HLR - Minor. RC:77 imsi=450079680700513

(EndEvent)

gkanapathy · ‎05-03-2010

Just set:

SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ^\(Begin_Event\)

for your sourcetype or source in props.conf. Alternatively you could use:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\(Begin_Event\))

Variations of the above can remove the (Begin_Event) line as well.

Custom multi-line parsing tip

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Custom multi-line parsing tip

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future