This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Events are a single record of activity within a log file. An event typically includes a timestamp and provides information about what occurred on the system being monitored or logged.
Here's a sample event:
{172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953}}
Events differ from event types. Event types are a classification system and can be made up of any number of events. Events are single instances of data -- a single log entry, for example.
Data enters the universal pipeline as large (10K) chunks of data. As part of pipeline processing, these chunks are broken into events. In the initial level of event processing, new line characters signal an event boundary. In the next stage, line breaking rules are applied for the source type or source. These may be the default, learned, local or bundled line breaking rules.
Learn more about Splunk's treatment of large events.
You can also change Splunk's default line-breaking behavior in multi line events. Learn more here.
The configuration of event boundaries can be found in props.conf. Before manually modifying any configuration file, please read about bundle files.