https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51682#M9908 <P><A href="http://shes.fr/">http://shes.fr/</A></P> Fri, 08 Feb 2013 22:36:55 GMT emcollections 2013-02-08T22:36:55Z https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51678#M9904 <P><STRONG>I have several text format log files in which I need help in linebreaking them into the appropriate events that I need. This is an exmaple of what my file looks like:</STRONG></P> <P>====================================================</P> <P>LOGS_BEGIN: DO_LOG</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root root 3505 Apr 23 12:58 /var/adm/sulog</P> <P>====================================================</P> <P>SU 02/12 16:53 - pts/1 hkim-root</P> <P>SU 02/12 16:53 + pts/1 hkim-root</P> <P>SU 02/13 13:10 + ??? root-sys</P> <P>SU 02/16 13:10 + ??? root-sys</P> <P>SU 02/17 13:10 + ??? root-sys</P> <P>SU 02/20 13:10 + ??? root-sys</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root root 99999999 Apr 24 15:25 /var/log/messages</P> <P>====================================================</P> <P>Apr 24 14:30:01 999999999999 crond(pam_unix)[13043]: session opened for user root by (uid=0)</P> <P>Apr 24 14:30:01 999999999999 crond(pam_unix)[13045]: session opened for user root by (uid=0)</P> <P>Apr 24 14:30:01 999999999999 su(pam_unix)[13049]: session opened for user iscan by (uid=0)</P> <P>Apr 24 14:30:01 999999999999 crond(pam_unix)[13043]: session closed for user root</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root sys 2984 Apr 11 2006 /var/adm/loginlog</P> <P>====================================================</P> <P>vkaliya:/dev/pts/1:Wed May 4 11:14:34 2005</P> <P>vkaliaya:/dev/pts/1:Wed May 4 11:14:43 2005</P> <P>vkaliya:/dev/pts/1:Wed May 4 11:14:34 2005</P> <P>vkaliaya:/dev/pts/1:Wed May 4 11:14:43 2005</P> <P>vkaliya:/dev/pts/1:Wed May 4 11:14:55 2005</P> <P>vkaliya:/dev/pts/1:Wed May 4 11:15:06 2005</P> <P>====================================================</P> <P>====================================================</P> <P><STRONG>I need to be able to filter out the top part of the log,which consist of the 1st line till the 6th line (shown below)this applies to the messagelog and loginlog as well</STRONG></P> <P>====================================================</P> <P>LOGSBEGIN: DOLOG</P> <P>====================================================</P> <P>====================================================</P> <P>-rw------- 1 root root 3505 Apr 23 12:58 /var/adm/sulog</P> <P>====================================================</P> <P><STRONG>After which,I will need each and every line to be a seperate event (shown below)</STRONG></P> <P>SU 02/15 10:28 + pts/1 hkim-root</P> <P>SU 02/15 13:10 + ??? root-sys</P> <P><STRONG>I would also have to filter out the last part of the log(shown below)</STRONG></P> <P>====================================================</P> <P>====================================================</P> <P><STRONG>I have tried several props.conf but it doesn't to be working!! Please help me!</STRONG><BR /> <STRONG>TAKE NOTE: at the loginlog section,the time format is different from the message and sulog section!!!!</STRONG></P> Mon, 28 Sep 2020 11:49:15 GMT https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51678#M9904 JeffTanYH 2020-09-28T11:49:15Z https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51679#M9905 <P><A href="http://www.emcollections.net/">http://www.emcollections.net/</A></P> Tue, 15 May 2012 06:35:11 GMT https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51679#M9905 emcollections 2012-05-15T06:35:11Z https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51680#M9906 <P><A href="http://www.emcollections.net/">http://www.emcollections.net/</A></P> Tue, 15 May 2012 06:35:28 GMT https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51680#M9906 emcollections 2012-05-15T06:35:28Z https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51681#M9907 <P><A href="http://shes.fr/">http://shes.fr/</A></P> Fri, 08 Feb 2013 22:36:40 GMT https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51681#M9907 emcollections 2013-02-08T22:36:40Z https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51682#M9908 <P><A href="http://shes.fr/">http://shes.fr/</A></P> Fri, 08 Feb 2013 22:36:55 GMT https://community.splunk.com/t5/Getting-Data-In/trouble-breaking-log-events/m-p/51682#M9908 emcollections 2013-02-08T22:36:55Z