Getting Data In

Event_breaker vs Line_breaker ?

daniel333
Builder

All,

Is there any reason my event_breaker stanza for my UF should be different from LINE_breaker line on my indexers ? Seems to be they'd be identical.

Example of my log4j props.conf stanza -

  LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[
  EVENT_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s\[

thanks
-Daniel

1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

View solution in original post

daniel333
Builder

Thanks for the extra details there. Awesome!

0 Karma

FrankVl
Ultra Champion

They should be identical, why are you asking, is it not working as expected?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

It will be fine if your regex matches raw data, when you use LINE_BREAKER on Indexers you need to set SHOULD_LINEMERGE = false and on UF you need to set EVENT_BREAKER_ENABLE = true

EVENT_BREAKER = <regular expression>
* A regular expression that specifies the event boundary for a
  universal forwarder to use to determine when it can send events
  to an indexer.
* The regular expression must contain a capturing group
  (a pair of parentheses that defines an identified sub-component
  of the match.)
* When the UF finds a match, it considers the first capturing group
  to be the end of the previous event, and the end of the capturing group
  to be the beginning of the next event.
* At this point, the forwarder can then change the receiving indexer
  based on these event boundaries.
* This setting is only active if you set 'EVENT_BREAKER_ENABLE' to
  "true", only works on universal forwarders, and
  works best with multiline events.
* Default: "\r\n"

jatin_patel
Path Finder

if you are using EVENT_BREAKER on UF why do you even need LINE_BREAKER on indexers would not defeat the purpose of putting EVENT_BREAKER on UF as indexer would again run same regex on data that is already regexed by UF?

0 Karma

dwallen41
Engager

EVENT_BREAKER is so the forwarder knows where to stop sending data for load balancing purposes. The data is unchanged when it gets to the indexers so the indexers still need the LINE_BREAKER to break the raw data into the actual events.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...