Solved: Re: How to parse the Splunk Add-on for CyberArk lo...

gizemk00 · ‎09-04-2017

We changed UseLegacySyslogFormat as No and then log size not changed. How do we add the changed dbparm to the props.conf? as text or whatelse??

<5>1 2017-09-08T15:30:51Z CAVAULT01 CEF:0|Cyber-Ark|Vault|9.81.0000|241|Prepare Backup Metadata|5|act="Prepare Backup Metadata" suser=***** fname= dvc= shost=***** dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=<5>1 2017-09-08T15:30:51Z CAVAULT01 CEF:0|Cyber-Ark|Vault|9.81.0000|236|Backup Metadata|5|act="Backup Metadata" suser=***** fname= dvc= shost=***** dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=<5>1 2017-09-08T15:30:51Z CAVAULT01 CEF:0|Cyber-Ark|Vault|9.81.0000|236|Backup Metadata|5|act="Backup Metadata" suser=***** fname= dvc= shost=******* dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=

koshyk · ‎09-20-2017

I can see above sample you paste is multiple messages (with msg present correctly in 1st message), and event starting at YYYY-MM-DDTHH:mm:ss (eg 2017-09-08T15:30:51Z) but not on \r\n . So ensure your props.conf have correct time_format so it break on time rather on new-line.

Something like below would do

[yoursourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = ^

Or try ( i haven't tried it before)
BREAK_ONLY_BEFORE_DATE

A more detailed set of examples/documentation in here

View solution in original post

koshyk · ‎09-20-2017

I can see above sample you paste is multiple messages (with msg present correctly in 1st message), and event starting at YYYY-MM-DDTHH:mm:ss (eg 2017-09-08T15:30:51Z) but not on \r\n . So ensure your props.conf have correct time_format so it break on time rather on new-line.

Something like below would do

[yoursourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = ^

Or try ( i haven't tried it before)
BREAK_ONLY_BEFORE_DATE

A more detailed set of examples/documentation in here

gizemk00 · ‎09-20-2017

thank you for comment, we used LINE_BREAKER = ([\r\n ]+) format, also this method worked, event starting at \r\n as < 5 > 1 but when ı copy, it remove

woodcock · ‎09-10-2017

Please explain with more words and maybe show the changes and the data; I do not at all understand what you are saying.

gizemk00 · ‎09-20-2017

as you see above sample log, ı coundn't parse after "msg=" How to seperate this log to 3 logs

How to parse the Splunk Add-on for CyberArk logs in the correct format?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to parse the Splunk Add-on for CyberArk logs in the correct format?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine