Configure linebreaking
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Configure linebreaking
In some cases, you need to do additional work with logs whose records span multiple lines. Here's a couple of sample entries from the API log:
#### 2010-03-17 10:13:47,543
nameSpace: content.static.API
subscriberID: 107018813
callerID: TTCOV104435254-7305027
driver: content.jdbc.ContentDriver
callerAction: MAR10354LA
host: 10.52.60.28
connectionResult: SUCCESS
Details: Successfully updated contentDB
#### 2010-03-17 10:13:48,626
nameSpace: content.static.API
subscriberID: 3238231843
callerID: TTCOV106842965-5744617
driver: content.jdbc.ContentDriver
callerAction: MAR10899LA
host: 10.52.60.27
connectionResult: SUCCESS
Details: Successfully updated contentDB
A single record spans multiple lines and the start of a new record is marked by the string #### at the beginning of a line. Actually, Splunk can automatically figure out the boundaries between records just fine. But sometimes you need to do a little more work and set the line breaks using the configuration files.
To set up line-breaking for these logs:
1. From the command line, go to $SPLUNK_HOME/etc/system/local.
Note: Splunk stores configuration files in various directories. The default directories store Splunk's defaults and are overwritten whenever you upgrade Splunk. Always create your customizations in the </code>local</code> directory.
2. Create a text file called props.conf.
3. Add the following stanza to the file:
[apilog] BREAK_ONLY_BEFORE = ^####
This stanza contains:
-
[apilog]: The source type to which the stanza applies. -
BREAK_ONLY_BEFORE = ^####: Specifies the linebreak location using a regex.
See Configure linebreaking for multi-line events in the Admin manual for more information about linebreaking.
4. Save the file.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.