Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with logs line breaking issue?

ajitdev381
Engager
‎05-25-2023 07:42 AM

My application logs json object . Sample logs look like this:

 

 

{"ts":"05 25 2023 14:57:05.114","msg":"Listeners is invoked"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=Metaspace} value=117.305855 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'profiled nmethods'} value=41.941772 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=nonheap,id=CodeHeap 'non-profiled nmethods'} value=18.53479 MiB"
								 }
{"ts":"05 25 2023 15:05:00.031","msg":"jvm.memory.used{area=heap,id=G1 Old Gen} value=82.355469 MiB"
								 }

 

 

 

if you notice above , my application prints } in next line along with extra tabs \t

In splunk, these logs are not represented as json , All these above text are shown in one line . I learn about LINE_BREAKER and tried following line break regex but nothing worked

1) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\t]+{)

2) 
SHOULD_LINEMERGE=false
LINE_BREAKER=([\n\t]+{)

3) 
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-add_closing_bracket=s/\"$/"}/g

#3 works , splunk shows extra ending bracket with tabs

 

 

								 }

 

 

 I want splunk should consider every json object irrespective of tab and ending bracket } in next line . Please help

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2023 09:41 AM

Try this variation of option 3.

SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\{"ts":
SEDCMD-removeTabs=s/\t//g
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...