Solved: Line break in multiline event

RobertRi · ‎01-22-2013

Hi

I have a script which gather each db and display the schema, name, tablesapce indexspace and date from each table

It looks like this
schema name tablesapce indexspace date
SYS Table1 3434 3432 2013-01-22
SYS Table2 34535 33 2013-01-22

When I get an event under 257 Tables, they were displayed as one event.
If I get and event whit more than 257 Tables then the first event is a 257 line event and the other hundrets of events are single line events.

I have set MAX_EVENTS = 5000 in the inputs.conf and restarted the forwarder but without success

Do you have any hints how I get this events as one multiline event?

Thanks
Rob

RobertRi · ‎01-23-2013

Hi Stefano

I have used the following in the props.conf on the forwarder to keep the multiline event together.

[sourcetype]
SHOULD_LINEMERGE = true
MAX_EVENTS = 5000

now the events are gathered together

View solution in original post

RobertRi · ‎01-23-2013

Hi Stefano

I have used the following in the props.conf on the forwarder to keep the multiline event together.

[sourcetype]
SHOULD_LINEMERGE = true
MAX_EVENTS = 5000

now the events are gathered together

RobertRi · ‎01-23-2013

you gave me the necessary hint, thanks

stefano_guidoba · ‎01-23-2013

sorry, I thought you were asking how to split lines in single events 🙂 Glad you've found the solution anyway!
BTW SHOULD_LINEMERGE is set True by default so you won't need to specify it in props.conf 🙂

stefano_guidoba · ‎01-22-2013

in props.conf set SHOULD_LINEMERGE parameter for this particular input to false
[sourcetype]
SHOULD_LINEMERGE = false

By default it's set to true, so Splunk will assume that until a line breaker event is found (e.g. a timestamp) all the following data are grouped in one single event. After 256 lines, Splunk automatically cut the event.

Line break in multiline event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life