Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line breaking odd issue

jwhughes58
Contributor
‎07-31-2024 09:33 AM

I'm working with a 9.1.2 UF on Linux.  This is the props.conf

 

[stanza]
#
# Input-time operation on Forwarders
#
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRUNCATE = 999
DATETIME_CONFIG = CURRENT

 

This is the contents of the file

 

Splunk Reporting Hosts as of 07/31/2024 12:05:01 UTC
host
hostname1
hostname2
hostname3
hostname4
...
hostname1081

 

There are 1,083 lines in the file.  I used od -cx to verify there is \n at the end of each line.  For some reason, the last entry from a search consists of the first 257 lines from the file, and then the remaining lines are individual entries.  I didn't have DATETIME_CONFIG in the stanza, so I thought that might be the issue.  It is now, and it is still an issue.  I'm out of ideas.  Anyone see this before or have an idea on how to resolve this?

TIA,

Joe

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 11:19 AM

Wait a second. You're talking about an UF? And those props are where? On the UF or on the idx/HF? Do you use EVENT_BREAKER?

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 11:19 AM

Wait a second. You're talking about an UF? And those props are where? On the UF or on the idx/HF? Do you use EVENT_BREAKER?

Reply
Solved! Jump to solution

jwhughes58
Contributor
‎07-31-2024 01:50 PM

@PickleRickThat was the issue.  I was only pushing to the UF and not the indexers.  Sometimes I forget that props.conf has parts that go to the indexer and parts go to the search heads.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-31-2024 10:01 AM

I had a similar problem and the answer is in Line breaking.  See Why are REST API receivers/simple breaks input unexpectedly in Getting Data In.

Tags (1)
Reply
Solved! Jump to solution

jwhughes58
Contributor
‎07-31-2024 10:11 AM

@yuanliuSo this section of the props.conf spec

MAX_EVENTS = <integer>
* The maximum number of input lines to add to any event.
* Splunk software breaks after it reads the specified number of lines.
* Default: 256

takes precedence over the LINE_BREAKER?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-31-2024 11:06 AM

It doesn't take precedence.  It just limits how many lines are allowed in each event.  Splunk has a good reason to use 256 as default.  I just wish they name the property with better clarity:-)  You mentioned that you had 1083 lines.  Raise MAX_EVENTS to 2000 for this sourcetype and you should be good. (You made a very astute observation about line count in your events from the very beginning.  I wish I had that insight so I wouldn't have been stuck for years.)

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...