<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Help with parsing a cmd log file in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-parsing-a-cmd-log-file/m-p/320147#M59783</link>
    <description>&lt;P&gt;The &lt;CODE&gt;LINE_BREAKER&lt;/CODE&gt; attribute needs a capture group to work correctly.  Try &lt;CODE&gt;LINE_BREAKER = ([=\s]+)Command:&lt;/CODE&gt; or &lt;CODE&gt;LINE_BREAKER = ()Command:&lt;/CODE&gt;.&lt;/P&gt;</description>
    <pubDate>Tue, 05 Dec 2017 14:29:08 GMT</pubDate>
    <dc:creator>richgalloway</dc:creator>
    <dc:date>2017-12-05T14:29:08Z</dc:date>
    <item>
      <title>Help with parsing a cmd log file</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-parsing-a-cmd-log-file/m-p/320146#M59782</link>
      <description>&lt;P&gt;==============================================&lt;BR /&gt;
**Command: C:\cmd command - xxx..&lt;BR /&gt;
Started at: 12/04/2017 07:03:02&lt;/P&gt;

&lt;H1&gt;Finished at: 12/04/2017 07:06:03 with code 0**&lt;/H1&gt;

&lt;P&gt;==============================================&lt;BR /&gt;
**Command:  C:\cmd command - xxx..&lt;BR /&gt;
Started at: 12/04/2017 07:03:02&lt;/P&gt;

&lt;H1&gt;Finished at: 12/04/2017 07:06:03 with code 0**&lt;/H1&gt;

&lt;P&gt;==============================================&lt;BR /&gt;
**Command: Command\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...&lt;BR /&gt;
Started at: 12/04/2017 07:06:03&lt;BR /&gt;
Command output:&lt;BR /&gt;
c:&amp;gt;# xxxxxxxxxxxxxxxxxxx......&lt;BR /&gt;
c:&amp;gt;xxxxxxxxxxxxxxxxxxxx&lt;/P&gt;

&lt;H1&gt;Finished at: 12/04/2017 07:06:25 with code 0**&lt;/H1&gt;

&lt;P&gt;==============================================&lt;BR /&gt;
**Command:  C:\cmd command - xxx..&lt;BR /&gt;
Started at: 12/04/2017 07:06:25&lt;/P&gt;

&lt;H1&gt;Finished at: 12/04/2017 07:06:28 with code 0**&lt;/H1&gt;

&lt;P&gt;Individual log entries begin and end with a '====' separator. &lt;/P&gt;

&lt;P&gt;Since the timestamp entries are seemless across logs, finished and new log parsing is erratic.&lt;/P&gt;

&lt;P&gt;Tried with putting following prop.conf at $SPLUNK_HOME/system/local&lt;/P&gt;

&lt;P&gt;[source_type]&lt;BR /&gt;
LINE_BREAKER = [=]+&lt;BR /&gt;
BREAK_ONLY_BEFORE_DATE = false&lt;BR /&gt;
SHOULD_LINEMERGE = true&lt;BR /&gt;
DATETIME_CONFIG = NONE&lt;BR /&gt;
MUST_BREAK_AFTER = [=]+&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 17:04:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-parsing-a-cmd-log-file/m-p/320146#M59782</guid>
      <dc:creator>arijitnag</dc:creator>
      <dc:date>2020-09-29T17:04:02Z</dc:date>
    </item>
    <item>
      <title>Re: Help with parsing a cmd log file</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-parsing-a-cmd-log-file/m-p/320147#M59783</link>
      <description>&lt;P&gt;The &lt;CODE&gt;LINE_BREAKER&lt;/CODE&gt; attribute needs a capture group to work correctly.  Try &lt;CODE&gt;LINE_BREAKER = ([=\s]+)Command:&lt;/CODE&gt; or &lt;CODE&gt;LINE_BREAKER = ()Command:&lt;/CODE&gt;.&lt;/P&gt;</description>
      <pubDate>Tue, 05 Dec 2017 14:29:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-parsing-a-cmd-log-file/m-p/320147#M59783</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2017-12-05T14:29:08Z</dc:date>
    </item>
  </channel>
</rss>

