Line merging, which uses the SHOULD_LINEMERGE setting to merge previously separated lines into events.The LINE_BREAKER setting expects a value in regular expression format. You don't normally need to adjust this setting, but in cases where it's necessary, you must configure it in the nf configuration file on the forwarder that sends the data to Splunk Cloud Platform or a Splunk Enterprise indexer. In regular expression format, this is represented as the following string: (+). By default, the LINE_BREAKER value is any sequence of newlines and carriage returns. Line breaking, which uses the LINE_BREAKER setting to split the incoming stream of data into separate lines.The Splunk platform determines event boundaries in two phases: How the Splunk platform determines event boundaries If you use Splunk Enterprise, you can configure the settings and follow the procedures in this topic on any instance that indexes the incoming data stream. You must use a heavy forwarder that you have configured to send data to your Splunk Cloud Platform instance to break incoming data into lines and subsequently merge them as you want into events. If you use Splunk Cloud Platform, you must forward any data where you need to configure event-line breaking, because there is no way to configure event-line breaking in the Splunk Web interface. If you have multiline events that the Splunk platform doesn't handle properly, you can configure it to change its line breaking behavior.

The Splunk platform handles most multiline events correctly by default. Some events consist of more than one line.