Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge multiple events into single events?

kannu
Communicator
‎05-17-2018 04:00 AM

Hello Splunkers,

I have one file whose starting line can be anything but that file ends with "Completed Backup" line. So currently the contents of the file are getting indexed line by line based on time. But I want the full content of the file from starting of file till "Completed Backup" in a single event.

I have checked LINE_BREAKER and SHOULD_LINEMERGE settings but didn't get the confidence on using these settings.

Please help me

Warm regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2018 08:29 AM

If you want the entire file content, regardless of how it starts, to a single events, you need to setup a LINE_BREAKER to something which will never be found on the log file.
Give this a try

[yourSourceType]
SHOULD_LINEMERGE =false
LINE_BREAKER = (MaryHadALittleLamb)
#Set below two attribute to values high enough to hold all your file content
TRUNCATE = 99999
MAX_EVENTS =1000

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2018 08:29 AM

If you want the entire file content, regardless of how it starts, to a single events, you need to setup a LINE_BREAKER to something which will never be found on the log file.
Give this a try

[yourSourceType]
SHOULD_LINEMERGE =false
LINE_BREAKER = (MaryHadALittleLamb)
#Set below two attribute to values high enough to hold all your file content
TRUNCATE = 99999
MAX_EVENTS =1000
Reply
Solved! Jump to solution

kannu
Communicator
‎05-17-2018 09:16 AM

where i need to mention in the UF props.conf or Indexer Props.conf

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-17-2018 10:06 AM

This should be in indexer or heavy forwarder, whichever comes fast.

0 Karma
Reply
Solved! Jump to solution

kannu
Communicator
‎05-17-2018 09:32 AM

@somesoni2 , where i need to mention in the UF props.conf or Indexer Props.conf

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...