https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51089#M9798 <P>Hi,thanks for the help!<BR /> I hav another questn,my file also includes these lines:</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root sys 2984 Apr 11 2006 /var/adm/loginlog</P> <P>====================================================</P> <P>vkaliya:/dev/pts/1:Wed May 4 11:14:34 2005</P> <P>vkaliaya:/dev/pts/1:Wed May 4 11:14:43 2005</P> <P>Your above prop.conf and transform.conf works with the earlier example,but it would not correctly timestamp the events (in the 2nd example). Can you assist me pls?</P> Mon, 14 May 2012 06:57:31 GMT JeffTanYH 2012-05-14T06:57:31Z https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51087#M9796 <P><STRONG>I have several text format log files in which I need help in linebreaking them into the appropriate events that I need. This is an exmaple of what my file looks like:</STRONG></P> <P>====================================================</P> <P>LOGS_BEGIN: DO_LOG</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root root 3505 Apr 23 12:58 /var/adm/sulog</P> <P>====================================================</P> <P>SU 02/12 16:53 - pts/1 hkim-root</P> <P>SU 02/12 16:53 + pts/1 hkim-root</P> <P>SU 02/13 13:10 + ??? root-sys</P> <P>SU 02/14 13:10 + ??? root-sys</P> <P>SU 02/15 10:28 + pts/1 hkim-root</P> <P>SU 02/15 13:10 + ??? root-sys</P> <P>SU 02/16 13:10 + ??? root-sys</P> <P>SU 02/17 13:10 + ??? root-sys</P> <P>SU 02/18 13:10 + ??? root-sys</P> <P>SU 02/19 13:10 + ??? root-sys</P> <P>SU 02/19 16:42 + pts/1 hkim-root</P> <P>SU 02/20 13:10 + ??? root-sys</P> <P>SU 02/20 15:06 + pts/1 hkim-root</P> <P>SU 02/21 09:54 + pts/1 hkim-root</P> <P>SU 02/21 13:10 + ??? root-sys</P> <P>SU 02/21 17:22 - pts/1 hkim-root</P> <P>SU 02/21 17:22 + pts/1 hkim-root</P> <P>SU 02/22 09:56 + pts/1 hkim-root</P> <P>SU 02/22 10:03 + pts/1 hkim-hkim</P> <P>SU 02/22 10:03 + pts/1 hkim-sybmp</P> <P>SU 02/22 13:10 + ??? root-sys</P> <P>====================================================</P> <P>====================================================</P> <P><STRONG>I need to be able to filter out the top part of the log,which consist of the 1st line till the 6th line (shown below)</STRONG></P> <P>====================================================</P> <P>LOGSBEGIN: DOLOG</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root root 3505 Apr 23 12:58 /var/adm/sulog</P> <P>====================================================</P> <P><STRONG>After which,I will need each and every line to be a seperate event (shown below)</STRONG></P> <P>SU 02/15 10:28 + pts/1 hkim-root</P> <P>SU 02/15 13:10 + ??? root-sys</P> <P><STRONG>I would also have to filter out the last part of the log(shown below)</STRONG></P> <P>====================================================</P> <P>====================================================</P> <P><STRONG>I have tried several props.conf be it doesn't to be working!! Please help me!</STRONG></P> Mon, 28 Sep 2020 11:49:01 GMT https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51087#M9796 JeffTanYH 2020-09-28T11:49:01Z https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51088#M9797 <P>Try this</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[yoursourcetypename] SHOULD_LINEMERGE=false MAX_TIMESTAMP_LOOKAHEAD=15 TRANSFORMS-d1=delete_header_and_footer </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[delete_header_and_footer] REGEX=(?:^=====|^LOGSBEGIN|^[-rw][-rw][-rw]) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> <P>What it does: tells Splunk that your data is one event per line, with the timestamp in the first 15 characters. It also takes each event and checks it against the regular expression in transforms.conf. Events that match are discarded.</P> <P>I checked the regular expression at <A href="http://gskinner.com/RegExr/">http://gskinner.com/RegExr/</A> but you should check it too.</P> <P>And BTW, the "d1" is just an arbitrary identifier, but it needs to be unique within props.conf.</P> Mon, 14 May 2012 05:42:35 GMT https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51088#M9797 lguinn2 2012-05-14T05:42:35Z https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51089#M9798 <P>Hi,thanks for the help!<BR /> I hav another questn,my file also includes these lines:</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root sys 2984 Apr 11 2006 /var/adm/loginlog</P> <P>====================================================</P> <P>vkaliya:/dev/pts/1:Wed May 4 11:14:34 2005</P> <P>vkaliaya:/dev/pts/1:Wed May 4 11:14:43 2005</P> <P>Your above prop.conf and transform.conf works with the earlier example,but it would not correctly timestamp the events (in the 2nd example). Can you assist me pls?</P> Mon, 14 May 2012 06:57:31 GMT https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51089#M9798 JeffTanYH 2012-05-14T06:57:31Z https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51090#M9799 <P>You could simply remove this line</P> <P>MAX_TIMESTAMP_LOOKAHEAD=15</P> <P>I don't think it is really necessary</P> Mon, 28 Sep 2020 11:49:37 GMT https://community.splunk.com/t5/Getting-Data-In/breaking-log-events/m-p/51090#M9799 lguinn2 2020-09-28T11:49:37Z