worked for me but had to modify the linebreaker myself. check your XML file for syntax problems as well. xmlint --noout filename.xml ; echo $? If there wasn't an error with your xml syntax, you should see result code 0 and nothing but a blank return. ... View more

No dice. My events are still getting split. props.conf root@server1:/opt/splunk/etc/apps/search/local# more props.conf [custom_source_type_poller_v1] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(?=Start: \w+, \d+) TIME_PREFIX = ^Start:\s TIME_FORMAT = %a, %d %b %Y %H:%M:%S %z MAX_TIMESTAMP_LOOKAHEAD = 31 NO_BINARY_CHECK = true category = Custom pulldown_type = 1 disabled = false input.conf root@server1:/opt/splunk/etc/apps/search/local# more inputs.conf [monitor:///data/poller/poller_v1.log] disabled = false index = poller_index sourcetype = custom_source_type_poller_v1 time_before_close = 15 ... View more

Yup, i've been trying various combinations of data source settings, but with no success. The difficulty in playing with the settings is that what may appear to work when getting a preview with the Add Data wizard, won't work in the wild when splunk intrudes midway through a cron jobby's output. There has to be a zillion people with my problem. I will continue to try new things and look for other articles related. I stumbled upon another article that died without resolution as well. I tried his method of using "time_before_close" attribute of 5, but still no luck. https://answers.splunk.com/answers/188776/events-are-not-properly-split.html ... View more

Found some other attributes I can play with to hopefully solve the mystery... http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents MUST_BREAK_AFTER = * When set and the regular expression matches the current line, Splunk Enterprise always creates a new event for the next input line. Splunk Enterprise might still break before the current line if another rule matches. empty string MUST_NOT_BREAK_AFTER = * When set and the current line matches the regular expression, Splunk Enterprise does not break on any subsequent lines until the MUST_BREAK_AFTER expression matches. empty string MUST_NOT_BREAK_BEFORE = * When set and the current line matches the regular expression, Splunk Enterprise does not break the last event before the current line. empty string ... View more

I understand that this is the best way to do it on a static file, but the problem is in the context of a monitored file. When cron-jobbed output is being appended to the monitored file (the cron can take 1, 2 or up to 10 seconds to finish dumping those 7 lines of output), splunk can "look" at the file mid-way through the event output. If it determines a match at that perfect time, then it will cut my event short. Doing a regex match for the total output of the event (to ensure the beginning and end has been finalized and written in total), i wanted to use the event break regex to prevent splunk from detrmining an event has occured by determining that no event has occured until the regex comes back "true". That is why i am trying to tell it to only consider an event break occured when it sees "Start:" at the top and "End:" at the bottom. Here's an example of how splunk chops up my event using the normal timestamp method: I can't seem to post pics yet, here's the listed output of indexed events: See how event was broken up for 2) and 3) ? My script had not yet fully output all there was to output before splunk picked up the "new event". When it next found a match for an event break, it did so (nicely), but it lumped the chunk of ascii between the last match and this match into an event between 2) and 4). Ergo event 2) and event 3) were split. Event 5 and 6 are perfect because I lucked out as to when splunk monitored the file and discovered the new (full) events. 2 4/13/16 12:51:01.000 PM Start: Wed, 13 Apr 2016 12:51:01 -0400 Starting up poller script. Database connection established. Garbage line found, likely the header of the csv. I'm not going to insert. host = server1 source = /data/poller/poller_v1.log sourcetype = custom_source_type_poller 3 4/13/16 12:46:01.000 PM Affected Rows: 5 Parsed total lines: 1009 End: Wed, 13 Apr 2016 12:46:01 -0400 host = server1 source = /data/poller/poller_v1.log sourcetype = custom_source_type_poller 4 4/13/16 12:46:01.000 PM Start: Wed, 13 Apr 2016 12:46:01 -0400 Starting up poller script. Database connection established. Garbage line found, likely the header of the csv. I'm not going to insert. host = server1 source = /data/poller/poller_v1.log sourcetype = custom_source_type_poller 5 4/13/16 12:41:01.000 PM Start: Wed, 13 Apr 2016 12:41:01 -0400 Starting up poller script. Database connection established. Garbage line found, likely the header of the csv. I'm not going to insert. Affected Rows: 5 Parsed total lines: 1009 End: Wed, 13 Apr 2016 12:41:02 -0400 host = server1 source = /data/poller/poller_v1.log sourcetype = custom_source_type_poller 6 4/13/16 12:36:01.000 PM Start: Wed, 13 Apr 2016 12:36:01 -0400 Starting up poller script. Database connection established. Garbage line found, likely the header of the csv. I'm not going to insert. Affected Rows: 5 Parsed total lines: 1009 End: Wed, 13 Apr 2016 12:36:02 -0400 host = server1 source = /data/poller/poller_v1.log sourcetype = custom_source_type_poller ... View more

Thanks for getting into this with me J Your answer was in the context of a search-app search, when providing a raw string. I tried (?msi)Start:(?.*?)End: however, I'm stuck at the data-input section of set source type where you can specify a line of regex in order to direct splunk on where the event-break resides. I tried your variation of the regular expression there, however, the result is the same. The preview shows a hit for the line that begins "Match", but doesn't stop when it hits the first "End:". I get about 257 lines in that event (each should contain only 7 lines. Presumably this is because it wants to continue searching to the bottom of my growing file , but gets capped by MAX_EVENTS. I played with setting the greediness mode, thus switching the question mark's function, (?ms)Start:.*?End: (?Ums)Start:.*End: but it seems to be greedy either way. I can visually see what i'm after in regex101 website with my originally posted regex, but it doesn't seem to be processing the same while in splunk's data-source regex field. For the record of where i am entering the regex... add data > monitor > source Files and Directory > index once (file.log) > set source type, submenu event-breaks > regex... > field to fill in the regex here and preview on the right. ... View more