Props.conf and LINE_BREAKER Regex

Drainy — Thu, 21 Jul 2011 12:45:27 GMT

I have created a regex;

(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

To act as my LINE_BREAKER in the props conf file for an app I am currently working on.
The log data is generated by a script and the length of each event output by the script is variable in length and contents however the first entry is always a timestamp of the format;

13:36:18.680336

In the documentation is the following paragraph;

Wherever the regex matches, Splunk considers the start of the first matching group to be the end of the previous event, and considers the end of the first matching group to be the start of the next event.

From http://www.splunk.com/base/Documentation/Latest/Admin/Propsconf

Now I understand that as meaning that it will interpret my regex, when a match is made it will move to the end of the matched data and count that as the beginning of my event.
Thats not ideal as I really want to keep all the event data, but as a test I tried it and instead it caught all of my event but missed the first two integers of my timestamp like so;

:36:18.680336

I assume its my regex or understanding/implementation thats at fault? Any ideas would be appreciated.

Re: Props.conf and LINE_BREAKER Regex

dwaddle — Thu, 21 Jul 2011 14:21:03 GMT

LINE_BREAKER gobbles the first capture group. You might try this:

([\r\n]+)(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

topic Re: Props.conf and LINE_BREAKER Regex in Splunk Search

Props.conf and LINE_BREAKER Regex

Re: Props.conf and LINE_BREAKER Regex