Overview of multiline events and event linebreaking
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Overview of multiline events and event linebreaking
Some events are made up of more than one line. Splunk handles most of these kinds of events correctly by default, but you may encounter examples of multiline events that Splunk doesn't recognize properly by default.
For more information about changing Splunk's default linebreaking behavior, see "Index multi-line events" in the Admin manual.
Multiline event linebreaking and segmentation limitations
Splunk does apply limitations to extremely large events when it comes to linebreaking and segmentation.
- Lines over 10,000 bytes: Splunk breaks lines over 10,000 bytes into multiple lines of 10,000 bytes each when it indexes them. It appends the field
meta::truncatedto the end of each truncated section. However, Splunk still groups these lines into a single event. - Segmentation for events over 100,000 bytes: Splunk only displays the first 100,000 bytes of an event in the search results. Segments after those first 100,000 bytes of a very long line are still searchable, however.
- Segmentation for events over 1,000 segments: Splunk displays the first 1,000 individual segments of an event as segments separated by whitespace and highlighted on mouseover. It displays the rest of the event as raw text without interactive formatting.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.