Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure props.conf for proper line breaking of Syslog data in Splunk?

iherre312
Explorer
‎09-14-2015 01:10 PM

Our syslog data in Splunk is showing up with at least 1% of the results with incorrect line breaking.
We have tried to update many settings in props.conf (in the master-apps directory) below:
We are using a Universal Forwarder.

should_linemerge = true
break_only_before_date = true

should_linemerge = false
line_breaker = (\n+)

should_linemerge = true
line_breaker_lookbehind = 300

TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15

None of our updated settings worked. Any suggestions are welcome.

Reply

lguinn2
Legend
‎09-14-2015 02:19 PM

Syslog data should be one line per event. Also, entries in props.conf are case-sensitive!Therefore, your settings can be:

SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 15
Reply

iherre312
Explorer
‎09-14-2015 02:39 PM

Thanks for the suggestion. Unfortunately, I'm still getting line break issues where I do have some lines that are listed as separate events, but should be part of the previous event and do not have a timestamp. Any other suggestions?

0 Karma
Reply

lguinn2
Legend
‎09-14-2015 03:21 PM

So your syslog data is not 1 line per event. Try this in props.conf.
Also, make sure that your settings are not being overridden by settings in other props.conf files (like SPLUNK_HOME/etc/system/local)

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 25

Are you sure that your timestamp format is correct? I also bumped up the lookahead for the timestamp a little bit. Again, check spelling carefully and remember that almost everything in IS case-sensitive.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...