topic Re: linebreaking issue in Getting Data In

linebreaking issue

ebailey — Sun, 28 Jul 2013 06:41:14 GMT

I need some help getting Splunk to line break properly. I have a poorly formatted log file that is pulled from a mainframe so getting the formatting of the message changed would be extremely tough. I was hoping to use Splunk's built-in tools to handle the issue, but I cannot get this to work right at all.

Here is a sample event

20131992359247000|2013|199|235924|7000|7000|xxxx|xxxx|xxxx|xxxxxxx|xxxx|3101600002xx 02153604 |1|06|xx|U |00000000|205|xxxx - xxxxxxxxxxxxxxxxxxxxxx| |

I want to have every line break before

20131992359247000 (this is not a static value - it changes for every events)

but my regex is not working. Any suggestions

Thanks

Re: linebreaking issue

gkanapathy — Sun, 28 Jul 2013 22:23:14 GMT

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)20131992359247000

well, if it's not a static value, then you are going to have to say how it differs from every other line. i'm also assuming that you actually have multiple lines and that your problem is that you want to break at the beginning of a particular line that matches some pattern. So the question is, what is that pattern? And the answer to that is your regex. It would be helpful if you described it in words if you can't do so in regex. But let's say that it's just every line that starts with a 17-digit number, and then the pipe. Then it's just:

([\r\n]+)\d{17}\|

Or maybe it's more restrictive, and there are other lines with 17-digit numbers at the start that you don't want to break on. Or maybe the 17-digit number in the middle of the line. You need to say it, not make us guess.

Re: linebreaking issue

ebailey — Mon, 29 Jul 2013 13:54:53 GMT

20131992359247000 is not a static value

Re: linebreaking issue

ddarmand — Mon, 29 Jul 2013 15:17:02 GMT

use transform.conf to make a field ?

Re: linebreaking issue

ebailey — Tue, 30 Jul 2013 03:25:13 GMT

that is it - i almost had it right - Thanks!