LINE_BREAKER_LOOKBEHIND = <integer>
* The number of bytes before the end of the raw data chunk
to which Splunk software should apply the 'LINE_BREAKER' regex.
* When there is leftover data from a previous raw chunk,
LINE_BREAKER_LOOKBEHIND indicates the number of bytes before the end of
the raw chunk (with the next chunk concatenated) where Splunk software
applies the LINE_BREAKER regex. First of all above config kicks -in only if you have 'LINE_BREAKER' regex set. Assuming you have 'LINE_BREAKER' regex '\n'. First pass, chunk1 will be processed and since there is no previous leftover chunk, chunk1 : [data1]\n 2017-01-03 12:00:00 [data2]\n 2017-01-03 12:0 Will result in creating two events data1 and data2. Rest is leftover for chunk2. Second pass, chunk2 will be processed, since we have a leftover, LINE_BREAKER_LOOKBEHIND will be applied only if leftover size > LINE_BREAKER_LOOKBEHIND. chunk2 : 0:01 [data3]\n ... In this example LINE_BREAKER_LOOKBEHIND was not applicable as leftover bytes < LINE_BREAKER_LOOKBEHIND(default 100). In case, if there is a scenario where it's applicable, all splunk is doing is to exclude first LINE_BREAKER_LOOKBEHIND bytes from regex of new string ( leftover + chunk2). Why to apply regex on entire leftover part when we already know there is no regex match( during first pass).
... View more
