Why is "must_break_after" not working?

akhil36109 · ‎04-01-2018

I have some events and some of them are getting broken while some of them are not.
I tried everything MUST_BREAK_AFTER and LINE_BREAKER.
My event shd break after "batch_size: 15"
I have 457 events:

Single event = "apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15 "

but some events are merged like below and giving only one event for 257 events together.

... 2 lines omitted ...
apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15
apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15
apple Type:apple  size: report  _time: 2017-03-23 01:30:00 batch_delay: 15 
batch_size: 15

props.conf I used:

[sourcetype]
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = batch_size:\s+\d+

Please help me.

jluo_splunk · ‎04-01-2018

It looks like there's a line break - why not use SHOULD_LINEMERGE = false instead? I

Why is "must_break_after" not working?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!