topic Re: props.conf and splitting events in Getting Data In

props.conf and splitting events

nikhilmehra79 — Mon, 28 Sep 2020 16:22:31 GMT

Hi ,

I am trying to break a event using props.conf but failing issues any help is appreciated:

My event stream generally starts with

Sat Apr 12 18:09:01 2014 PT : Opened Incident Details
.
.
.

.

I also want to use the time above and convert it to CT if possible, reason my indexers are in CT TZ where as my UF are in PT (hence above logs are written in PT TZ)

Also can i use the props.conf in UF (source of log file) as against indexer

I tried to use following in my indexer props.conf with no luck
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\w{3}\s+\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\s+\d{4}\s+\w{2}\s+\:\s)

P.S system has removed escape charcter here before s w and d

Re: props.conf and splitting events

linu1988 — Sun, 13 Apr 2014 03:55:06 GMT

splunk would directly recognize the timestamp. just add TZ in the props.conf.

Why is the line breaker required? could you please post more logs?

Re: props.conf and splitting events

nikhilmehra79 — Sun, 13 Apr 2014 06:44:27 GMT

I fugured it out - i had got it working with same regex.

Re: props.conf and splitting events

nikhilmehra79 — Mon, 14 Apr 2014 00:06:44 GMT

Line Breaker i think was required because i had more lines where i said ...actual events look like
Sat Apr 12 18:09:01 2014 PT : Opened Incident Details
Event 1 Info: Blah Blah
Description : Blah Blah Blah

Summary : Blah Blah Blah

Sat Apr 12 18:10:01 2014 PT : Opened Incident Details
Event 2 Info: Blah Blah
Description : Blah Blah Blah
Summary : Blah Blah Blah

Re: props.conf and splitting events

linu1988 — Mon, 28 Sep 2020 16:22:36 GMT

BREAK_ONLY_BEFORE_DATE = [true|false]
use this in props.conf to get rid of any line_breaker.

Re: props.conf and splitting events

nikhilmehra79 — Mon, 14 Apr 2014 04:53:13 GMT

qq : isnt the line merge would be required in this case and isnt that expensive ? not sure but this is what i was reading in DOCS

Re: props.conf and splitting events

linu1988 — Mon, 14 Apr 2014 05:08:37 GMT

why would you require a line merge after that! The events are broken just before the date, isn't it what you require!

Re: props.conf and splitting events

nikhilmehra79 — Mon, 28 Sep 2020 16:22:42 GMT

ok thanks i think i was confused that you need line merge with BREAK_ONLY_BEFORE_DATE. Appreciate your response.
Though i got in another issue after this: I posted here any clue? on this
http://answers.splunk.com/answers/131518/summary-indexing-and-tz