https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401819#M49026 <P>Thanks, however as you can see there are special characters, how would you write regex with :</P> <P>beginning with anything (risky?) until YYYY-MM-DD?</P> <P>LINE_BREAKER = (^.+)\d{4}-\d{2}-\d{1,2} ?</P> <P><A href="https://regex101.com/r/6fN7JB/1">https://regex101.com/r/6fN7JB/1</A></P> <P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 14 Aug 2018 22:59:22 GMT splunkreal 2018-08-14T22:59:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401817#M49024 <P>Hello,</P> <P>we try to index correctly SecAudit-BackendServer.1.log from Dynatrace however the non-encrypted log files have special characters just before the timestamp :</P> <P><EM>\x00\x00\x00\xEB\x00\x00\x00&#1;2018-08-14T16:34:51.920+0200 user=toto,source=1.2.3.4,category=AuditLog,object=,event=Access,status=success,message="successfully read audit log /opt/dynatrace/dynatrace-7.0/log/server/SecAudit-FrontendServer.1.log"</EM></P> <P>in ssh:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5541i5A45BF65B5AD04FF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How would you handle with TIME_PREFIX in props.conf?</P> <P>Thanks.</P> Tue, 14 Aug 2018 15:20:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401817#M49024 splunkreal 2018-08-14T15:20:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401818#M49025 <P>Hi @realsplunk,</P> <P>IMO, this should be handled by using LINE_BREAKER. Configure line breaking to discard all special characters before date, something like below</P> <P>props.conf</P> <PRE><CODE>[sourcetype] LINE_BREAKER = ([\r\n]+^.+)\d{4}\-\d{2}\-\d{1,2} ## This will discard newline, carriage return characters along with encrypted text. SHOULD_LINEMERGE = false TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z </CODE></PRE> Tue, 14 Aug 2018 20:08:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401818#M49025 sudosplunk 2018-08-14T20:08:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401819#M49026 <P>Thanks, however as you can see there are special characters, how would you write regex with :</P> <P>beginning with anything (risky?) until YYYY-MM-DD?</P> <P>LINE_BREAKER = (^.+)\d{4}-\d{2}-\d{1,2} ?</P> <P><A href="https://regex101.com/r/6fN7JB/1">https://regex101.com/r/6fN7JB/1</A></P> <P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 14 Aug 2018 22:59:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401819#M49026 splunkreal 2018-08-14T22:59:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401820#M49027 <P>Your LINE_BREAKING regex should also include \n-new line and \r-carriage return characters inside capturing group.</P> <P>Per <A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configureeventlinebreaking#Line_breaking_general_attributes">docs</A>,</P> <P>The LINE_BREAKER expression must contain a capturing group (a pair of parentheses that defines an identified subcomponent of the match.)</P> <P>Wherever the expression matches, Splunk software considers the start of the first capturing group to be the end of the previous event, and considers the end of the first capturing group to be the start of the next event.</P> <P>Splunk software discards the contents of the first capturing group. This content will not be present in any event, as Splunk software considers this text to come between lines.</P> <P>That said, <CODE>LINE_BREAKER = ([\r\n]+^.+)\d{4}\-\d{2}\-\d{1,2}</CODE> will discard any special characters until YYYY-MM-DD.</P> <P><A href="https://regex101.com/r/6fN7JB/2">https://regex101.com/r/6fN7JB/2</A></P> Wed, 15 Aug 2018 12:22:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401820#M49027 sudosplunk 2018-08-15T12:22:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401821#M49028 <P>Hi Nittala_surya, I'm in contact with support because this doesn't work maybe bad characters impact so I'm testing SEDCMD to clean data first.</P> Fri, 17 Aug 2018 14:50:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Dynatrace-audit-logs-indexing-problem/m-p/401821#M49028 splunkreal 2018-08-17T14:50:34Z