topic Line breaks and regex help in Splunk Search

Line breaks and regex help

j666gak — Wed, 15 Aug 2012 19:36:15 GMT

Hello,

I am having issues when Splunk is reading an XML file. I need Splunk to know that a transaction starts with and finishes with , instead of line breaks all over the place.

I'm not sure what the regex I need for this is? and would I need to add it to props.conf or transforms.conf or something else?

  <diary_entry>
  <id>560494</id>
  <entry_time>2011-08-25 12:36:00 UTC</entry_time>
  <blood_glucose>15.4</blood_glucose>
  <carbohydrate_portions>5</carbohydrate_portions>
  <quick_insulin>3</quick_insulin>
  <background_insulin></background_insulin>
  <ratio>1:1</ratio>
  <entry_type>CORR</entry_type>
  <target_min_bg>4.5</target_min_bg>
  <target_max_bg>7.5</target_max_bg>
  <ketones></ketones>
  <comments></comments>
  <injection_site>Stomach</injection_site>
  <updated_at>2011-08-25 22:44:02 UTC</updated_at>
</diary_entry>

Re: Line breaks and regex help

Ayn — Wed, 15 Aug 2012 19:39:47 GMT

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

Re: Line breaks and regex help

kristian_kolb — Mon, 28 Sep 2020 12:16:21 GMT

and don't forget to also set

SHOULD_LINEMERGE=false TIME_PREFIX=

note that the latter may not be required if your timestamps are parsed correctly without it.

Re: Line breaks and regex help

j666gak — Wed, 15 Aug 2012 20:22:47 GMT

just trying it now and testing

Thanks

Re: Line breaks and regex help

j666gak — Wed, 15 Aug 2012 20:32:59 GMT

I have edited the props.conf and restarted the Splunk server but nothing has changed. Does the data need to be re-indexed?

Re: Line breaks and regex help

kristian_kolb — Wed, 15 Aug 2012 20:35:51 GMT

Already indexed data will not be altered by this operation. Any new data coming in should be broken into separate event according to your config.