- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Linebreaking not working as expected
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Linebreaking not working as expected
I have a logfile whose events are not being broken up in Splunk. Here are the two separate events that are being shown together in Splunk console.
16:45:12,772 INFO> intro_response.pl:549 main:: - Batch AAAIE120809004119P03 successfully transferred to staging server.
16:45:12,774 INFO> intro_response.pl:568 main:: - account=act,program=932,admin=opsprg12,pgmssn=932-574,wfstate='BATCH_PUBLISHED',subject=Math,grade=11,error_code='',msg='Batch published to ePEN',batchnum=AAAIE120809004119P03,batch_count=5
Here's the configuration I have in props.conf for this logfile -
TIME_FORMAT = %H:%i:%s
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = \d+:\d+:\d+\,\d+
MAX_EVENTS = 2000
This configuration was working fine earlier but it stopped working for some reason this week. Any help on this would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but what is %i in TIME_FORMAT? Don't you think that %M would be more correct? Or even:
TIME_FORMAT=%H:%M:%S,%3N
which would let you capture the milliseconds as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you have SHOULD_LINEMERGE=false, that implies that Splunk is not seeing your line break character properly. The BREAK_ONLY_BEFORE is not used when SHOULD_LINEMERGE=false. And MAX_EVENTS should be removed - MAX_EVENTS is the maximum number of lines per event - when you set SHOULD_LINEMERGE=false, that is irrelevant because an event can have only one line.
From Configure event linebreaking:
"Splunk determines event boundaries in two steps:
- Line breaking, which uses the LINE_BREAKER attribute's regex value to split the incoming stream of bytes into separate lines. By default, the LINE_BREAKER is any sequence of newlines and carriage returns (that is, ([\r\n]+))."
So this is the default:
LINE_BREAKER=[\r\n]+
Is it possible that your line is actually separated by different characters in the log? Or, try this explicitly
TIME_FORMAT = %H:%i:%s
SHOULD_LINEMERGE = false
LINE_BREAKER=[\r\n]+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a shot...
TIME_PREFIX=^
TIME_FORMAT=%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=8
BREAK_ONLY_BEFORE=^/d{2}/:/d{2}/:/d{2}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you kbecker for your response. Just tried your suggestion. No luck though. I am still seeing separate events getting bundled up.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
