Spread our blog


Hi guys !!

You all know that for creating any dashboards, reports , alerts etc. in Splunk we need some events. It is the responsibility of Splunk Developers. But for on-boarding, parsing  and filtering some  data in Splunk you have to be confident  in handling the configurations files. For parsing some data we use props.conf and also we do parsing on the Heavy Forwarder(HF).Today we will show you how to break the events using BREAK_ONLY_BEFORE attribute. You have to use this attribute inside  props.conf. You can find the props.conf in following path.


After that you have to configure the props.conf.

If you are using stand-alone system you can configure props.conf at the time of adding data into Splunk from the GUI.

See below we have given a sample data.

how  are  you?
i am fine.
also how you feel?
are you speak in english
however are you feel
i send pic to you

We have saved this data into a file.

Follow the below steps :

Step 1:

Login to Splunk by your credentials.

Step 2:

You can see the Add Data option on the middle of the screen. Click on Add Data.

Step 3:

Select the method. We will upload some data from our local system. So click on Upload.

Step 4:

Click on Select File.

Step 5:

Select the file you want to upload. Here we have selected the file where we had saved our sample data. Click on Open.

Step 6:

After uploading the data click on Next.

Step 7:

Now you can Advanced option on the left side. Click on Advanced to configure props.conf. From here whatever you will write that will be saved in the props.conf file in the back end.

Step 8:

Now write attributes in Advanced option. How to use this command you can see below.­ Then click on Apply settings.


Here we have written BREAK_ONLY_BEFORE = how and SHOULD_LINEMERGE = true then which line contains string ‘how’ , before that line event will be broken into another event.

But if the string which I have  given means “how” is not there ,those line will merged with the previous event until it gets a new line which contain how.

NOTE: Use of hard-code value is not good. Because if some portion of any word matches with specified string then also it will work as above discussed manner. And then the attribute break upon it’s policy. So be careful when use hard code value.

Here we take a string say how whenever  this string is matched then the line will be  break upon it’s  policy. Suppose a string however is coming in line then also this attribute will be working because how is also a part of “however”. 

Hope, this has helped you in achieving the below requirement without fail:

You can also know about :  How To Backfill In Summary Index ( How To Manage Summary Index Gaps In Splunk )


Happy Splunking  !!

What’s your Reaction?

Spread our blog
Previous articleHow To Pass Country Value From a Cluster Map using Drilldown
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.


Please enter your comment!
Please enter your name here