Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line breaker to break the events

raju_dara
New Member
‎11-12-2012 10:59 AM

Below is the app log content and the configuration parameters in props.conf. Not sure what is going wrong.. Output is all messed up and I dont see the events getting generated seperatly.. Any help??

11/12/2012 07:59 V XXXXXX YYY ;YYYY;1234

11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY

;ZZZZ

;ZZZY

11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUUU

11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUU1

;ZZRZ

;ZZRY

TRUNCATE=240000
TIME_PREFIX = ^Timestamp:\s
TIME_FORMAT= %m/%d/%Y %H:%M:%S
LINE_BREAKER = ([\r\n]+)(?=Timestamp:\s)
SHOULD_LINEMERGE=false

This is what I am expecting on SPLUNK
Event One
11/12/2012 07:59 V XXXXXX YYY ;YYYY;1234

Event two

11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY

;ZZZZ

;ZZZY

Event three..

11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUUU

11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY; UUUU1

;ZZRZ

;ZZRY

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-13-2012 12:15 AM

You won't see Event 3 and Event 4 merged into Event 2 as long as SHOULD_LINEMERGE is set to false, stick to the default value of true.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-13-2012 12:15 AM

You won't see Event 3 and Event 4 merged into Event 2 as long as SHOULD_LINEMERGE is set to false, stick to the default value of true.

0 Karma
Reply
Solved! Jump to solution

raju_dara
New Member
‎11-13-2012 09:46 AM

That did the knack.. Thank you soo much..

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-12-2012 12:53 PM

You do not need a time prefix or a line breaker. Try

TRUNCATE=240000 
TIME_FORMAT= %m/%d/%Y %H:%M:%S 
MAX_TIMESTAMP_LOOKAHEAD=30
SHOULD_LINEMERGE=false
BREAK_ONLY_BEFORE_DATE = true

You don't actually need the last 2 lines either, as these are the defaults. And MAX_TIMESTAMP_LOOKAHEAD is just for efficiency.

0 Karma
Reply
Solved! Jump to solution

raju_dara
New Member
‎11-12-2012 09:42 PM

Below is the output.. Last 3 lines should be part of Event2..

Event 1
11/12/2012 07:59 V XXXXXX YYY ;YYYY;1234
Event 2
11/12/2012 07:59 V XXXXXX YYY ;YYYY;YYYY
Event 3
;ZZZZ
Event 4
;ZZZY

0 Karma
Reply
Solved! Jump to solution

raju_dara
New Member
‎11-12-2012 07:48 PM

Thank you but no luck.. :(.. Any more suggestions??

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...