topic Re: Event break regex - match 19 digit number in Splunk Search

Event break regex - match 19 digit number

himynamesdave — Sun, 04 Jan 2015 14:51:49 GMT

Happy New Year everyone!

Regex n00b here - I am struggling to break events for a particular source. Any help would be appreciated.

The line to break events is in the following format

"From <19 digit numeric string>@<misc alpha numeric string of varying length> <timestamp>"

For example:

From 1489304828131889971@xxx Sat Jan 03 07:02:43 2015

From 1489220782115942636@82hs Fri Jan 02 08:46:51 2015

I want to specify an event break in props.conf with "From <19 digit numeric string>@".

Can anyone help?

-dave

Re: Event break regex - match 19 digit number

MuS — Sun, 04 Jan 2015 18:41:06 GMT

Hi himynamesdave,

try something like this as line breaker regex :

From\s.+?@

based on the assumption I understood you correct and you want everything after the @ as new line 😉

cheers, MuS

Re: Event break regex - match 19 digit number

jayannah — Mon, 28 Sep 2020 18:33:58 GMT

Since you want to break the events "From <19digits>@", here is props.conf for the same.
I have used \d{19} to match the exact 19 digits as you mentioned.

props.conf
[< your sourcetype OR source or host >]
BREAK_ONLY_BEFORE=From\s+\d{19}@
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

please let me know if the above props.conf worked for you..
regex query tried to match the correct pattern is https://regex101.com/r/kD3tZ1/1

Re: Event break regex - match 19 digit number

MuS — Sun, 04 Jan 2015 20:43:55 GMT

This will not work on any event NOT containing exactly (meaning more/less) 19 digits...
Always build things so you can [remember what they mean|work], two years from now 😉

Re: Event break regex - match 19 digit number

jayannah — Sun, 04 Jan 2015 20:53:13 GMT

Yes, I knew it. It depends on whether strict or loose pattern matching required. That why I said, based on 19 digit pattern as per the question.

Re: Event break regex - match 19 digit number

eddit0r — Sun, 04 Jan 2015 20:54:49 GMT

For the LINE_BREAKER to work there needs to be a capture group.

You should specify the following in props.conf

props.conf
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ([\r\n]+)From\s\d+@

That will break where there is a carriage return or new line, followed by From 'space' any number of digits and an @ symbol.

See how you go.

(It is always preferable to delimit multi-line events with LINE_BREAKER as it has significant benefits to processing speed)