Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

LINE_BREAKER not working with most basic settings

Cuyose
Builder
‎01-16-2019 09:50 AM

I have a json blob, lets ignore the fact it is json for now. I simply want to force Splunk to break a single blob on a word.

Where the string {"agent" exists multiple times, these are the the only settings I have set in props for the sourcetype.

SHOULD_LINEMERGE = false
LINE_BREAKER = {"agent

This should break, but it is not. Why is Splunk refusing to break this event? Again, I know this is json, but I want to understand LINE_BREAKER, as I have read about 3 novels on its use, and it repeatedly fails when implemented.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2019 10:17 AM

The LINE_BREAKER attribute must contain a capture group. Be warned the contents of the capture group will be discarded so choose it carefully. It's perfectly legitimate to have an empty capture group as in LINE_BREAKER = (){"agent.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-16-2019 10:18 AM

The LINE_BREAKER will not function unless you give it a capture group (there is probably an error in your error log if you search for it with something like index=_* sourcetype=splunkd LINE_BREAKER capture). Everything in the capture group will be discarded. The capture group may be empty, but it MUST exist. Try this:

SHOULD_LINEMERGE = false
LINE_BREAKER = {"agent()
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎01-16-2019 10:47 AM

Thanks, I was making it more complicated in my head.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2019 10:17 AM

The LINE_BREAKER attribute must contain a capture group. Be warned the contents of the capture group will be discarded so choose it carefully. It's perfectly legitimate to have an empty capture group as in LINE_BREAKER = (){"agent.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-16-2019 11:23 AM

Missed it by >that< much.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...