Line Breaks

JDukeSplunk — Tue, 29 Sep 2020 19:49:29 GMT

I need a working line-breaker for this sourcetype .I could muck about trying to get this working on my own, or I could ask here since it seems pretty simple. All of the events end with "Message()"

Here's the raw scrubbed raw event and a screencap of how Splunk is picking it up.

Jun 4 12:25:34 10.111.111.111 [0x80c0003f][AlereSSOSPDebug][info] xmlfirewall(SSOAuditLogFW): trans(11111111)[request][10.111.1.11] gtid(111111111X1111xx11x1xxxx):
Jun 4 12:25:34 10.214.8.104 Timestamp(2018-06-04T12:25:34-04:00)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 TransactionID(XXX-11111111)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 ClientId(HealthxX 1111111)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 UserInfo()
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 Status(0x00000000)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 TimeTaken(V1_208_202_0_0_6)
Jun 4 12:25:34 10.214.8.104 ::
Jun 4 12:25:34 10.214.8.104 Message()

Re: Line Breaks

sshelly_splunk — Tue, 29 Sep 2020 19:46:05 GMT

Use the following in props.conf for the sourcetype:
"SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = Message()$"

I tried w/your event data, and it worked for me.

Re: Line Breaks

JDukeSplunk — Fri, 07 Sep 2018 15:01:41 GMT

Yours worked in 99% of the events. What I finally ended up with was a really long regex.

BREAK_ONLY_BEFORE = \w{3}\s\d{1,2}\s\d{1,2}\:\d{1,2}\:\d{1,2}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\[

topic Re: Line Breaks in Getting Data In

Line Breaks

Re: Line Breaks

Re: Line Breaks