Getting Data In

Line break in multiline event

RobertRi
Communicator

Hi

I have a script which gather each db and display the schema, name, tablesapce indexspace and date from each table

It looks like this
schema name tablesapce indexspace date
SYS Table1 3434 3432 2013-01-22
SYS Table2 34535 33 2013-01-22

When I get an event under 257 Tables, they were displayed as one event.
If I get and event whit more than 257 Tables then the first event is a 257 line event and the other hundrets of events are single line events.

I have set MAX_EVENTS = 5000 in the inputs.conf and restarted the forwarder but without success

Do you have any hints how I get this events as one multiline event?

Thanks
Rob

Tags (1)
1 Solution

RobertRi
Communicator

Hi Stefano

I have used the following in the props.conf on the forwarder to keep the multiline event together.

[sourcetype]
SHOULD_LINEMERGE = true
MAX_EVENTS = 5000

now the events are gathered together

View solution in original post

0 Karma

RobertRi
Communicator

Hi Stefano

I have used the following in the props.conf on the forwarder to keep the multiline event together.

[sourcetype]
SHOULD_LINEMERGE = true
MAX_EVENTS = 5000

now the events are gathered together

0 Karma

RobertRi
Communicator

you gave me the necessary hint, thanks

0 Karma

stefano_guidoba
Communicator

sorry, I thought you were asking how to split lines in single events 🙂 Glad you've found the solution anyway!
BTW SHOULD_LINEMERGE is set True by default so you won't need to specify it in props.conf 🙂

0 Karma

stefano_guidoba
Communicator

in props.conf set SHOULD_LINEMERGE parameter for this particular input to false
[sourcetype]
SHOULD_LINEMERGE = false

By default it's set to true, so Splunk will assume that until a line breaker event is found (e.g. a timestamp) all the following data are grouped in one single event. After 256 lines, Splunk automatically cut the event.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...