https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41068#M9502 <P>I am afraid on this one i don't think it will be possible to maintain the linebreak of each ControlID event.<BR /> Maybe someone else will have an idea...<BR /> You should create a new question</P> Wed, 02 May 2012 07:50:39 GMT MarioM 2012-05-02T07:50:39Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41063#M9497 <P>I am trying to linebreak my text format configuration file into the different events by the controlID. I need help in the linebreaking of my data.</P> <P>My text configuration looks something like this:</P> <PRE><CODE>****************************************************************************** * Reading information for ControlID: 999999 * ****************************************************************************** Auditing Enabled: Blah Audit Process Tracking: Blah ****************************************************************************** * Reading information for ControlID: 999999 * ****************************************************************************** Auditing Enabled: Blah Audit Account Logon Events: Blah ****************************************************************************** * Reading information for ControlID: 999999 * ****************************************************************************** Auditing Enabled: Blah Audit Account Management/User and Group Mgmt: Blah ****************************************************************************** * Reading information for ControlID: 999999 * ****************************************************************************** Auditing Enabled: Blah Audit Logon Events/Logon and Logoff : Blah </CODE></PRE> <P>The grey lines you see are actually ******** in my text file.</P> <P>I am rather new to SPLUNK and i urgently need your help in linebreaking my data. I have tried several methods but it doesn't seem to be working for my data. </P> <P>When i input this file into SPLUNK, it automically breaks my data into events. However, it does not break the events into what i want,it simply selects random lines to break the data,it gives no meanings to the different events.</P> <P>Please help me! Thank you.</P> Wed, 02 May 2012 03:52:06 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41063#M9497 JeffTanYH 2012-05-02T03:52:06Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41064#M9498 <P>Did you try the following for your sourcetype on your props.conf:</P> <PRE><CODE> [my_sourcetype] BREAK_ONLY_BEFORE=(.*\bControlID:.*) SHOULD_LINEMERGE=true </CODE></PRE> Wed, 02 May 2012 06:52:32 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41064#M9498 MarioM 2012-05-02T06:52:32Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41065#M9499 <P>Even better than <CODE>BREAK_ONLY_BEFORE</CODE> ( SHOULD_LINEMERGE=true use more resources):</P> <PRE><CODE>[my_sourcetype] LINE_BREAKER=([\r\n\-]+)\s+Reading.* SHOULD_LINEMERGE=false </CODE></PRE> Wed, 02 May 2012 07:12:34 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41065#M9499 MarioM 2012-05-02T07:12:34Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41066#M9500 <P>And one more thing.. Could you help me figure out how do i linebreak this as well?</P> <P>It is feasible to break [1] from [2] and make them seperate events? While maintaining the linebreak of each ControlID event? And how?</P> <PRE><CODE>****************************************************************************** * Reading information for ControlID: 999999 * ****************************************************************************** ________________________________________________________________________ Object: C:\WINDOWS Owner: BUILTIN\Administrators Group: BUILTIN\Administrators ACL (DACL): =========== [1]: BUILTIN\Users ACE Header Type : 0x0 ACE Header Flags: 0x0 ACE Access Mask : 0x999999 Apply to : [This folder] Allow Read Permissions Read Extended Attributes Read Attributes List Folder/Read Data Traverse Folder/Execute File [2]: BUILTIN\Users ACE Header Type : 0x0 ACE Header Flags: 0xb ACE Access Mask : 0xn0000000 Apply to : [Subfolders] [Files] Allow Read Execute </CODE></PRE> <P>It would be much appreciated if you could help me!</P> Wed, 02 May 2012 07:19:08 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41066#M9500 JeffTanYH 2012-05-02T07:19:08Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41067#M9501 <P>Hey. Thanks for your answers,greatly appreciated. The first one works better as it correctly breaks the event into the ControlID i need. The second one,however,breaks the "Auditing Enabled: Blah Audit Process Tracking: Blah " section with the ControlID below it,which is not what i want.</P> Wed, 02 May 2012 07:30:46 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41067#M9501 JeffTanYH 2012-05-02T07:30:46Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41068#M9502 <P>I am afraid on this one i don't think it will be possible to maintain the linebreak of each ControlID event.<BR /> Maybe someone else will have an idea...<BR /> You should create a new question</P> Wed, 02 May 2012 07:50:39 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41068#M9502 MarioM 2012-05-02T07:50:39Z https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41069#M9503 <P>Alright. Thanks alot MarioM. I'll create a new question and hopefully someone has a solution.</P> Wed, 02 May 2012 07:54:16 GMT https://community.splunk.com/t5/Splunk-Search/linebreaking-for-text-configuration-file-format/m-p/41069#M9503 JeffTanYH 2012-05-02T07:54:16Z