https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453932#M172340 <P>Won't this configuration cut the <EM>SNMPv2-SMI::enterprises</EM> part out of the event? I don't know if this is intended. Thats why I included this in a non-capturing group in my example. </P> <P>But apart from that you are correct, if data comes in via UF, you should always inclund EVENT_BREAKER config!</P> Mon, 25 Mar 2019 07:14:02 GMT DMohn 2019-03-25T07:14:02Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453926#M172334 <P>hi ,</P> <P>Below is my single event indexing into splunk.I want to break the events into single events .It should break and comes into the next row after the string "SNMPv2- SMI::enterprises" .i got stuck writing regex on this . Kindly help.</P> <P>SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29865" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22018.41032.29826" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22018.41032.29863" = "0" SNMPv2-SMI</P> Thu, 21 Mar 2019 13:11:36 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453926#M172334 Nadhiyaa 2019-03-21T13:11:36Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453927#M172335 <P>In your props.conf, can you try with <CODE>MUST_BREAK_AFTER=([\r\n]+)(?=SNMPv2- SMI::enterprises)</CODE></P> <P>Also, send your props.conf</P> Thu, 21 Mar 2019 13:20:32 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453927#M172335 lakshman239 2019-03-21T13:20:32Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453928#M172336 <P>Add the following line to your appropriate props.conf stanza:</P> <PRE><CODE>[your_sourcetype] LINE_BREAKER = (?:SNMPv2-SMI::enterprises)(.) </CODE></PRE> <P>It is always encouraged to use the LINE_BREAKER stanza where possible. THis will take (at least) one RegEx capturing group, which marks the <EM>end</EM> of one event <STRONG>and will be discarded</STRONG>. So in your case, as the end of your events is represented by the string "SNMPv2-SMI::enterprises" this needs to come before the end-of-event-group and hence is a non-capturing group. The single charakter thereafter is being discarded, and the next event starts right after.</P> Thu, 21 Mar 2019 15:10:25 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453928#M172336 DMohn 2019-03-21T15:10:25Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453929#M172337 <P>Hi ,@DMohn <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/177803">@lakshman239</a> <BR /> Below props.conf worked when i added the data manually .but not working when specified in the heavy forwarder .Tried specified in both indexer and search head as well. Please help what could be the issue .</P> <P>[sourcetype]<BR /> BREAK_ONLY_BEFORE = ([\s]+)(?=SNMPv2-SMI::enterprises)<BR /> DATETIME_CONFIG =<BR /> LINE_BREAKER = ([\s]+)(?=SNMPv2-SMI::enterprises)</P> Tue, 29 Sep 2020 23:48:12 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453929#M172337 Nadhiyaa 2020-09-29T23:48:12Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453930#M172338 <P>Google <CODE>Splunk Magic 6</CODE> or <CODE>Splunk Magic 8</CODE> and read up on how bad it is to let Splunk merge events and guess at timestamps. You need EXACTLY these settings in props.conf:</P> <PRE><CODE>[yourSourcetypeHere] SHOULD_LINEMERGE = false #LINE_BREAKER = ([\n\r\s]*)SNMPv2-SMI::enterprises\. LINE_BREAKER = ([\n\r\s]*SNMPv2-SMI::enterprises\.) #EVENT_BREAKER = ([\n\r\s]*)SNMPv2-SMI::enterprises\. EVENT_BREAKER = ([\n\r\s]*SNMPv2-SMI::enterprises\.) EVENT_BREAKER_ENABLE = true DATETIME_CONFIG = CURRENT </CODE></PRE> <P>You can save license by stripping off the <CODE>SNMPv2-SMI::enterprises.</CODE> or you can keep it.</P> Sun, 24 Mar 2019 13:03:18 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453930#M172338 woodcock 2019-03-24T13:03:18Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453931#M172339 <P>This is a very poor configuration, if it even works. Do not use this.</P> Sun, 24 Mar 2019 13:04:20 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453931#M172339 woodcock 2019-03-24T13:04:20Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453932#M172340 <P>Won't this configuration cut the <EM>SNMPv2-SMI::enterprises</EM> part out of the event? I don't know if this is intended. Thats why I included this in a non-capturing group in my example. </P> <P>But apart from that you are correct, if data comes in via UF, you should always inclund EVENT_BREAKER config!</P> Mon, 25 Mar 2019 07:14:02 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453932#M172340 DMohn 2019-03-25T07:14:02Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453933#M172341 <P>@woodcock </P> <P>above props.conf works when we manually add the data .<BR /> As we are getting the snmp data via our heavy forwarder somehow its not taking the props.conf and its not working. Specified the props in search head and indexers as well but none worked .</P> Mon, 25 Mar 2019 09:36:48 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453933#M172341 Nadhiyaa 2019-03-25T09:36:48Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453934#M172342 <P>It must be deployed to the HFs, not the Indexers.</P> Mon, 25 Mar 2019 10:14:04 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453934#M172342 woodcock 2019-03-25T10:14:04Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453935#M172343 <P>Swap for the one that is commented out.</P> Mon, 25 Mar 2019 10:19:55 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453935#M172343 woodcock 2019-03-25T10:19:55Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453936#M172344 <P>yes, we have deployed it on the HF, but still it is not working ? Can you further advise on this issue ?</P> Tue, 26 Mar 2019 05:30:59 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453936#M172344 pgadhari 2019-03-26T05:30:59Z https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453937#M172345 <P>@DMohn - If you see the logs properly, the event starts with <STRONG>"SNMPv2-SMI::enterprises"</STRONG>, and ends with third <STRONG>"space"</STRONG>, in between there are 2 spaces.</P> <P>e.g :</P> <P>SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0" <BR /> so ideally, we need to break at the last <STRONG>"Space"</STRONG> of that event i.e. third space. I have attached the image for the event and marked the space with red where line break should occur. </P> <P><A href="https://ibb.co/cCqSsXg">https://ibb.co/cCqSsXg</A></P> <P>How do we write the capture regex for that ? </P> <P>Strange behaviour is when we export sample raw logs and upload from local manually, the suggested regex works. But when we put that on HF, it does not works. We are restarting splunk after the change on HF.</P> Tue, 26 Mar 2019 11:29:12 GMT https://community.splunk.com/t5/Splunk-Search/Break-events-based-on-a-string/m-p/453937#M172345 pgadhari 2019-03-26T11:29:12Z