Splunk Search

SHOULD_LINEMERGE break

rbonetti
Engager

Hi all,

I would like to break some lines into mutliple events.
The break condition is the time, as you can see below in bold in the log file:

[10:27:21.937] DEBUG [RequestStatusTask] [c.s.t.p.a.c.d.p.DataPrinterWrapper] [onSequenceStatusChanged:758] printer 1 :Sequence State : READY / READY
[10:27:22.500] DEBUG [AskCodeTask] [c.s.t.p.a.c.d.p.DataPrinterWrapper]

I have configured the props.conf, but it doesn't work:

[client_log]
BREAK_ONLY_BEFORE = [\d\d:\d\d:\d\d.\d\d\d]

Thanks for your help.

Tags (1)
0 Karma

BobM
Builder

I think you would be better defining the timestamp and telling splunk to break only before a time stamp.

[client_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = \[
TIME_FORMAT = %H:%M:%S.%3N

MuS
SplunkTrust
SplunkTrust

Hi rbonetti

your regex matches not only the time string but also some . and numbers later. try the regex without the [ ] eq BREAK_ONLY_BEFORE = \d\d:\d\d:\d\d.\d\d\d this should match only your time string.

cheers

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...