Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I break into multiple events just by space?

Kitteh
Path Finder
‎10-12-2017 02:20 AM

I want the one event in the picture to be broken into many events with the spaces in between. How do I do so with props.conf ?

Heres what i tried in my props.conf i tried "LINE_BREAKER = \s" and "LINE_BREAKER = [\s]"
[daemontest]
LINE_BREAKER = ([\s]+)
SHOULD_LINEMERGE = false

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Kitteh
Path Finder
‎10-12-2017 08:49 PM

This has been fixed by adding the parameter "BREAK_ONLY_BEFORE=\s"

[daemontest]
LINE_BREAKER = ([\s]+)
BREAK_ONLY_BEFORE =\s
SHOULD_LINEMERGE = false

Above is my parameters used just by splitting events with space.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Kitteh
Path Finder
‎10-12-2017 08:49 PM

This has been fixed by adding the parameter "BREAK_ONLY_BEFORE=\s"

[daemontest]
LINE_BREAKER = ([\s]+)
BREAK_ONLY_BEFORE =\s
SHOULD_LINEMERGE = false

Above is my parameters used just by splitting events with space.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-12-2017 11:43 AM

Are you configuring props.conf on the splunk instance that parses your event stream? That would be either your indexer, or a heavy forwarder you may have in your data ingest path.

0 Karma
Reply
Solved! Jump to solution

Kitteh
Path Finder
‎10-12-2017 06:10 PM

I am using universal forwarder

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-12-2017 06:47 PM

Then your parsing settings need to go on the indexer as the UF does not do any event parsing.

0 Karma
Reply
Solved! Jump to solution

jhigginsmq
Path Finder
‎10-12-2017 03:25 AM

"LINE_BREAKER = ([\s]+)" with "SHOULD_LINEMERGE=false" should work, and it works for me after mocking up a similar example and using the preview feature of "Add Data".

Are you sure those settings are being applied, i.e. are you restarting/refreshing Splunk after editing props.conf?

0 Karma
Reply
Solved! Jump to solution

Kitteh
Path Finder
‎10-12-2017 06:17 PM

Yes i've restart everytime i finished editing props.conf

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-12-2017 06:49 PM

See above, these settings have no effect on the UF, they need to go on the indexer, which is where the event parsing happens.
All the forwarder sees are 64KB chunks of data read from a monitored file or received on a network input.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...