Retain events as one file in Splunk

In Splunk, many log files, especially custom log files, end up getting broken up into many single events and not one event (or log file) like one is used to seeing from the command line.   To configure Splunk to keep the more traditional log file instead of many events, you need to modify the prop.conf file located in /opt/splunk/etc/local/props.conf.   If props.conf doesn't exist there, make a copy from /opt/splunk/etc/default/prop.conf.

There are three settings to change in prop.conf -  TRUNCATE, MAX_EVENTS, BREAK_ONLY_BEFORE.  

[default]
CHARSET = UTF-8
TRUNCATE = 0
DATETIME_CONFIG = /etc/datetime.xml
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=2000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = SLp23kj4kala234ksksksk55skskQQtttQQQ
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 10000
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =

 

 

 

 

 

 

 

 

 

 

 

 

Set TRUNCATE to a high value or set the value to 0 for unlimited.

Set MAX_EVENTS to a value higher than its default of 256.  I've set mine to 10000.

BREAK_ONLY_BEFORE asks Splunk to look for a value in your log files and only break up the log file if you find this value.  You can set BREAK_ONLY_BEFORE to a value that you never expect Splunk to find and your log files should stay intact.  For example, I've set mine to BREAK_ONLY_BEFORE = SLp23kj4kala234ksksksk55skskQQtttQQQ