Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

entire file to a single event

722624
Path Finder
‎07-14-2017 01:22 AM

SHOULD_LINEMERGE = true
MAX_EVENTS = 99999
TRUNCATE = 9999999

SHOULD_LINEMERGE = false
LINE_BREAKER = ((FAIL*))

I have tried both of above (trying each one at a time) in indexer props.conf ...and restarted splunk..to have a simple text file , entire file to go to single event but whatever I do splunk automatically splitting the file into 2 events
Is there any way to have the entire file to single event

Thank you in advance
AB

Tags (1)
0 Karma
Reply

722624
Path Finder
‎07-17-2017 12:44 AM

surprisingly...If i download the file to my PC and upload with same source type then it is reading entire file as single event....
But if the same log file is coming from forwarder, then file is being split into 2 event...

Anybody? please help

Thank you
AB

0 Karma
Reply

bic
Explorer
‎07-17-2017 12:48 AM

please check the queue size from the forwarder , try indexing a smaller file and see if that is coming through in one piece

0 Karma
Reply

722624
Path Finder
‎07-17-2017 01:07 AM

this file is 90 lines only hardly 4kb in size....

0 Karma
Reply

722624
Path Finder
‎07-17-2017 12:03 AM

Actually documentation asked to have SHOULD_LINEMERGE= false for LINE_BREAKER ...
anyways tried your suggestion also ...
No Luck 😞

Thank you
AB

0 Karma
Reply

bic
Explorer
‎07-16-2017 10:39 PM

SHOULD_LINEMERGE= TRUE, try with that

0 Karma
Reply

722624
Path Finder
‎07-16-2017 09:36 PM

[sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (.*?)

I tried the above... still file is split into two events....the same regex (.*?) in regex101.com is selecting the entire file

Thank you
AB

0 Karma
Reply

bic
Explorer
‎07-14-2017 01:59 AM

in the LINE_BREAKER you can use regular expression to match end of file , something like (.*?) . Hope that should not break your file into two parts

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...