Getting Data In

How to apply EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

hrawat_splunk
Splunk Employee
Splunk Employee

How to apply props.conf EVENT_BREAKER on UF for better data distribution instead of using outputs.conf forceTimebasedAutoLB=true?

Labels (1)
Tags (1)
0 Karma
1 Solution

hrawat_splunk
Splunk Employee
Splunk Employee

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

View solution in original post

0 Karma

hrawat_splunk
Splunk Employee
Splunk Employee

1. Any monitor/batch inputs stanza with multiline_event_extra_waittime=true on UF should have EVENT_BREAKER_ENABLE=true and EVENT_BREAKER = <regular expression> in props.conf.
Check LINE_BREAKER on HF/indexing side for these sourcetypes and set EVENT_BREAKER.

For all sourcetypes that has set multiline_event_extra_waittime=true in inputs.conf on UF
you have to set
EVENT_BREAKER_ENABLE=true
EVENT_BREAKER=<whatever LINE_BREAKER for the sourcetype set on HF or IDX>



2. For all other monitor/batch input stanzas on UF, have just EVENT_BREAKER_ENABLE=true in props.conf.

For all sourcetypes that has multiline_event_extra_waittime=false in inputs.conf on UF just
EVENT_BREAKER_ENABLE=true


3. For all TAs set EVENT_BREAKER same as LINE_BREAKER(on HF/ indexer side of props.conf)

4. Always EVENT_BREAKER(on UF side of props.conf) should be set to LINE_BREAKER(on HF/ indexer side of props.conf) value.

 

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...