https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84186#M7316 <P>HI,</P> <P>I am new to Splunk but have questions which people should have experienced: </P> <P>I am currently setting up a POC environment in multi DC environment, env is simple right now: </P> <P>In one DC we have a Single instance of Splunk which contains (i think every component), we have a universal forwarder system looking at 5 different log files of (same type) </P> <P>Till now i am able to go to Universal Forwarder - :\Program Files\SplunkUniversalForwarder\etc\system\local\ and made an entry for - crcSalt = <SOURCE><BR /><BR /> eg:<BR /><BR /> [monitor://D:\Notfier.out]<BR /><BR /> crcSalt = <SOURCE> </SOURCE></SOURCE></P> <P>[monitor://D:\Notfier2.out]<BR /><BR /> crcSalt = <SOURCE> </SOURCE></P> <P>This creates 2 sources in Splunk (server) and i see all logs are directed - so i think at this point it is working fine.</P> <P>Now when we are getting events they are multiline and splubnk is confused how to split them, after reading i figured out that i need props.conf to learn splunk how to split each event</P> <P>Sample event i am getting:</P> <P>Subject: CR<BR /><BR /> %customer_name=Xys<BR /><BR /> %zrepby=xys<BR /><BR /> %group=ABC.DOC<BR /> %priority=3<BR /><BR /> %summary= Alert: 10/05/2013 16:01:17 A CRITICAL alarm has occurred on Host Abcs.Domain<BR /><BR /> %CATEGORY=Mon.Xyz.Abc<BR /><BR /> %DESCRIPTION=Alert: DEVICE HAS STOPPED RESPONDING TO POLLS - CONDITION PERSISTS FOR 10 MINUTES SYMPTOMS: Device has stopped responding to polls. PROBABLE CAUSES: 1) Device Hardware Failure. 2)<BR /><BR /> Status: CRITICAL<BR /><BR /> Customer:<BR /><BR /> Device Type: Host<BR /><BR /> Primary Engineer:<BR /><BR /> *** From UpdateScript *** </P> <P>I created Props.conf on Splunk Server ( i created this MyApp to customize dashobaords and views)<BR /> D:\Splunkv5\etc\apps\MyApp\local\props.conf </P> <P>[monitor://D:\Notifier.OUT]<BR /><BR /> SHOULD_LINEMERGE = false<BR /><BR /> LINE_BREAKER = ^Subject: (.*)$ </P> <P>I was thinking to break each event before Line "Subject: CR" starts. </P> <P>Unfortunately my events are not breaking and i have no idea what i am missing. </P> <P>Any help will be appreciated. </P> <P>Thanks,<BR /> Nik</P> Mon, 28 Sep 2020 14:54:20 GMT nikhilmehra79 2020-09-28T14:54:20Z https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84186#M7316 <P>HI,</P> <P>I am new to Splunk but have questions which people should have experienced: </P> <P>I am currently setting up a POC environment in multi DC environment, env is simple right now: </P> <P>In one DC we have a Single instance of Splunk which contains (i think every component), we have a universal forwarder system looking at 5 different log files of (same type) </P> <P>Till now i am able to go to Universal Forwarder - :\Program Files\SplunkUniversalForwarder\etc\system\local\ and made an entry for - crcSalt = <SOURCE><BR /><BR /> eg:<BR /><BR /> [monitor://D:\Notfier.out]<BR /><BR /> crcSalt = <SOURCE> </SOURCE></SOURCE></P> <P>[monitor://D:\Notfier2.out]<BR /><BR /> crcSalt = <SOURCE> </SOURCE></P> <P>This creates 2 sources in Splunk (server) and i see all logs are directed - so i think at this point it is working fine.</P> <P>Now when we are getting events they are multiline and splubnk is confused how to split them, after reading i figured out that i need props.conf to learn splunk how to split each event</P> <P>Sample event i am getting:</P> <P>Subject: CR<BR /><BR /> %customer_name=Xys<BR /><BR /> %zrepby=xys<BR /><BR /> %group=ABC.DOC<BR /> %priority=3<BR /><BR /> %summary= Alert: 10/05/2013 16:01:17 A CRITICAL alarm has occurred on Host Abcs.Domain<BR /><BR /> %CATEGORY=Mon.Xyz.Abc<BR /><BR /> %DESCRIPTION=Alert: DEVICE HAS STOPPED RESPONDING TO POLLS - CONDITION PERSISTS FOR 10 MINUTES SYMPTOMS: Device has stopped responding to polls. PROBABLE CAUSES: 1) Device Hardware Failure. 2)<BR /><BR /> Status: CRITICAL<BR /><BR /> Customer:<BR /><BR /> Device Type: Host<BR /><BR /> Primary Engineer:<BR /><BR /> *** From UpdateScript *** </P> <P>I created Props.conf on Splunk Server ( i created this MyApp to customize dashobaords and views)<BR /> D:\Splunkv5\etc\apps\MyApp\local\props.conf </P> <P>[monitor://D:\Notifier.OUT]<BR /><BR /> SHOULD_LINEMERGE = false<BR /><BR /> LINE_BREAKER = ^Subject: (.*)$ </P> <P>I was thinking to break each event before Line "Subject: CR" starts. </P> <P>Unfortunately my events are not breaking and i have no idea what i am missing. </P> <P>Any help will be appreciated. </P> <P>Thanks,<BR /> Nik</P> Mon, 28 Sep 2020 14:54:20 GMT https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84186#M7316 nikhilmehra79 2020-09-28T14:54:20Z https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84187#M7317 <P>Good try, but the important thing to remember is that <CODE>^</CODE> in regular expression refers to the beginning of the string. This is irrelevant and never set because you are looking at a whole stream of bytes. In other words <CODE>^</CODE> only works after lines have been broken, so you can't use it to break lines. You should use:</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = ([\n\r]+)(?=Subject:) </CODE></PRE> <P>Also, it's not clear to me why you're using <CODE>crcSalt = &lt;SOURCE&gt;</CODE>.</P> Sat, 05 Oct 2013 23:40:57 GMT https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84187#M7317 gkanapathy 2013-10-05T23:40:57Z https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84188#M7318 <P>Hi Thanks. "Also, it's not clear to me why you're using crcSalt = <SOURCE>." - reason why i am using it is because we have 5 - log files which i am reading "Notifier.OUT" "NOTIFIER1.OUT" to 5...they all are having content different but when i tried installing universal installer on server where i have these log files the universal forwarder only read "Notifier.OUT" and not rest 4, when i did more reserach in log files it refered that Splunk Forwarder is not reading rest of 4 log files and will need CRC Salt beacaue apparently few lines at top of log files are same - (possible may be header of log files) and splunk do not index complete log files to see if one log file is unique vs another. Hence i did following configuration on Universal Forwarded (source server for these log files) </SOURCE></P> <P>[monitor://D:Notfier.out]<BR /><BR /> crcSalt = <SOURCE> </SOURCE></P> <P>[monitor://D:Notfier2.out]<BR /><BR /> crcSalt = <SOURCE> </SOURCE></P> <P>Let me know if you think i am doing something stupid here....Now, going back to problem of splitting (since we have a universal forwarder and Splunk server only setup). I added your lines at props.conf at Splunk server </P> <P>Here is what i have in props.conf :<BR /><BR /> [My Alert]<BR /><BR /> SHOULD_LINEMERGE = false<BR /><BR /> LINE_BREAKER = ([\n\r]+)(?=Subject:) </P> <P>The path of my props.conf is under a custom application on Splunk Server (not universal forwarder) :<BR /> D:\Splunkv5\etc\apps\MyApp\local<BR /><BR /> is this the right path....do i need to put this somewhere else?</P> <P>The events are still not splitting at before "Subject: CR".</P> Mon, 28 Sep 2020 14:54:28 GMT https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84188#M7318 nikhilmehra79 2020-09-28T14:54:28Z https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84189#M7319 <P>this props.conf must be changed in your indexer<BR /> and make sure you have the same sourcetype used in this stanza which you have used in your inputs.conf of the forwarder</P> <P>your inputs.conf (forwarder)</P> <P>[monitor://D:Notfier.out] <BR /> crcSalt = <SOURCE><BR /> sourcetype=abc</SOURCE></P> <P>[monitor://D:Notfier2.out]<BR /> crcSalt = <SOURCE><BR /> sourcetype=abc</SOURCE></P> <P>props.conf (indexer)</P> <P>[abc]<BR /><BR /> SHOULD_LINEMERGE = false<BR /> LINE_BREAKER = ([\n\r]+)(?=Subject:)</P> Mon, 28 Sep 2020 15:16:51 GMT https://community.splunk.com/t5/Monitoring-Splunk/Multiline-Event/m-p/84189#M7319 luv 2020-09-28T15:16:51Z