How to configure props.conf for proper line breaki...

iherre312 · ‎09-14-2015

Our syslog data in Splunk is showing up with at least 1% of the results with incorrect line breaking.
We have tried to update many settings in props.conf (in the master-apps directory) below:
We are using a Universal Forwarder.

should_linemerge = true
break_only_before_date = true

should_linemerge = false
line_breaker = (\n+)

should_linemerge = true
line_breaker_lookbehind = 300

TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15

None of our updated settings worked. Any suggestions are welcome.

lguinn2 · ‎09-14-2015

Syslog data should be one line per event. Also, entries in props.conf are case-sensitive!Therefore, your settings can be:

SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15

iherre312 · ‎09-14-2015

Thanks for the suggestion. Unfortunately, I'm still getting line break issues where I do have some lines that are listed as separate events, but should be part of the previous event and do not have a timestamp. Any other suggestions?

lguinn2 · ‎09-14-2015

So your syslog data is not 1 line per event. Try this in props.conf.
Also, make sure that your settings are not being overridden by settings in other props.conf files (like SPLUNK_HOME/etc/system/local)

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 25

Are you sure that your timestamp format is correct? I also bumped up the lookahead for the timestamp a little bit. Again, check spelling carefully and remember that almost everything in IS case-sensitive.

How to configure props.conf for proper line breaking of Syslog data in Splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life