topic Re: Writing props.conf for logfile having below log style in Getting Data In

Writing props.conf for logfile having below log style

ajaylowes — Wed, 12 Jul 2017 13:48:59 GMT

*****************************************************************************
***************           SYSTEM    ERROR:   000000           ***************
DATE: 07/05/2017 ********************************************* TIME: 12:00 AM

i am starting to learn splunk , its good and very interesting > i love splunk ./
REFERENCE CODE: ABC_XYZ_FILECOPY-82728

i need to create props.conf to break the logfile containing logs shown above into events.
Please help me write one props.conf which remove all stars since they are not useful

Thanks

Re: Writing props.conf for logfile having below log style

lguinn2 — Wed, 12 Jul 2017 18:52:20 GMT

If this is the whole log, then it looks like you want one event per file. Try this in props.conf

[yoursourcetypehere]
BREAK_ONLY_BEFORE=^**************************************************$
TIME_PREFIX = DATE\:
MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_FORMAT = %m/%d/%Y ********************************************* TIME: %H:%M %p

You may have to tweak this a bit to get it right for your log file.

Re: Writing props.conf for logfile having below log style

ajaylowes — Wed, 12 Jul 2017 18:54:07 GMT

There are several similar logs in one file. Also , i need to remove stars from the log since they are unwanted.

Re: Writing props.conf for logfile having below log style

woodcock — Thu, 13 Jul 2017 01:48:50 GMT

Show us the first 2 events and the last 2 events.

Re: Writing props.conf for logfile having below log style

ajaylowes — Thu, 13 Jul 2017 12:21:22 GMT

*****************************************************************************
***************           SYSTEM    ERROR:   510762           ***************
DATE: 07/06/2017 ********************************************* TIME: 12:00 AM

<1 line text>


<2 line text>

REFERENCE CODE: DMS_RMT_FILECOPY-82727


*****************************************************************************
***************           SYSTEM    ERROR:   510763           ***************
DATE: 07/06/2017 ********************************************* TIME: 12:00 AM

<1 line text>


<2 line text>

REFERENCE CODE: DMS_RMT_FILECOPY-82728


*****************************************************************************
***************           SYSTEM    ERROR:   510764           ***************
DATE: 07/06/2017 ********************************************* TIME: 12:00 AM

<1 line text>


<2 line text>

REFERENCE CODE: DMS_RMT_FILECOPY-82727

Re: Writing props.conf for logfile having below log style

woodcock — Thu, 13 Jul 2017 14:15:22 GMT

Use these settings in props.conf:

[yourSourcetypeHere]
LINE_BREAKER = ([\r\n]+)\*{70}
TIME_PREFIX = DATE\:
MAX_TIMESTAMP_LOOKAHEAD = 80
TIME_FORMAT = %m/%d/%Y ********************************************* TIME: %H:%M %p

Re: Writing props.conf for logfile having below log style

sbbadri — Tue, 29 Sep 2020 14:54:50 GMT

in props.conf

[my_source_type]
SEDCMD-remove_asteriks1 = s/(\W+\s+)SYSTEM/SYSTEM/g
SEDCMD-remove_asteriks2 = s/(\s+\W+)DATE:/ DATE:/g
SEDCMD-remove_asteriks3 = s/(\s+\W+)TIME:/ TIME:/g

Re: Writing props.conf for logfile having below log style

ajaylowes — Thu, 13 Jul 2017 15:58:13 GMT

does this remove the star from the event and then digest it into splunk?

Re: Writing props.conf for logfile having below log style

ajaylowes — Thu, 13 Jul 2017 16:03:12 GMT

hi ,

can you please explain how that works....