All Apps and Add-ons

why LINE_BREAKER in props.conf not working ?

pgadhari
Builder

I am using SNMP modular input (snmp_ta) for getting the SNMP logs into Splunk. The snmp_TA is installed on Heavy Forwarder and following props.conf is configured in /opt/splunk/etc/apps/snmp_ta/local directory. I have created a new sourcetype as snmp_ta_dcim. Below is the multiline event, which I want to break into single event before "SNMPv2-SMI......" :

SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29865" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22018.41032.29826" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22018.41032.29863" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22019.41032.29827" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22019.41032.29828" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22020.41032.29829" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22020.41032.29830" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22021.41032.29831" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22021.41032.29832" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22022.41032.29834" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22022.41032.29864" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22023.41032.29835" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22023.41032.29836" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22024.41032.29837" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22024.41032.29838" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22025.41032.29839" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22025.41032.29840" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22026.41032.29841" = "85" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22026.41032.29842" = "85" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22027.41032.29843" = "439" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22027.41032.29844" = "431" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22028.41032.29845" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22028.41032.29846" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22029.41032.29847" = "111" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22029.41032.29848" = "113" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22030.41032.29849" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22030.41032.29850" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22031.41032.29851" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22031.41032.29852" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22032.41032.29853" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22032.41032.29854" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22033.41032.29855" = "17" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22033.41032.29862" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22034.41032.29856" = "587" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22034.41032.29857" = "610" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22035.41032.29858" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22035.41032.29859" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22036.41032.29860" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22036.41032.29861" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22018.41032.29827" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22018.41032.29828" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22019.41032.29829" = "519" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22019.41032.29830" = "637" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22020.41032.29831" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22020.41032.29832" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22021.41032.29833" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22021.41032.29834" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22022.41032.29835" = "439" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22022.41032.29836" = "453" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22023.41032.29837" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22023.41032.29838" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22024.41032.29839" = "85" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22024.41032.29840" = "84" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22025.41032.29841" = "512" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22025.41032.29842" = "520" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22026.41032.29844" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22026.41032.29867" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22027.41032.29845" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22027.41032.29846" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22028.41032.29847" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22028.41032.29865" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22029.41032.29849" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22029.41032.29850" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22030.41032.29851" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22030.41032.29852" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22031.41032.29853" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22031.41032.29854" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22032.41032.29855" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22032.41032.29856" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22033.41032.29857" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22033.41032.29858" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22034.41032.29860" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22034.41032.29866" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22035.41032.29861" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22035.41032.29862" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22036.41032.29863" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555089.41025.22036.41032.29864" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22017.41032.29827" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22017.41032.29847" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22018.41032.29831" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22018.41032.29851" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22019.41032.29869" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22019.41032.29870" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22020.41032.29826" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22020.41032.29846" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22021.41032.29825" = "1" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22021.41032.29865" = "169" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22022.41032.29829" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22022.41032.29849" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22023.41032.29832" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22023.41032.29852" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22024.41032.29868" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22024.41032.29871" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22025.41032.29830" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22025.41032.29850" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22026.41032.29833" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22026.41032.29853" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22027.41032.29841" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22027.41032.29861" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22028.41032.29837" = "270" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22028.41032.29857" = "260" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22029.41032.29843" = "185" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22029.41032.29863" = "179" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22030.41032.29836" = "276" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22030.41032.29856" = "274" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22031.41032.29840" = "128" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22031.41032.29860" = "133" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22032.41032.29839" = "0" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22032.41032.29859" = "256" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22033.41032.29838" = "276" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22033.41032.29858" = "259" SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555090.41025.22034.41032.29844" = "397"

My props.conf :

[snmp_ta_dcim]
BREAK_ONLY_BEFORE_DATE = 
DATETIME_CONFIG = CURRENT
EVENT_BREAKER = ([\n\r\s]*SNMPv2-SMI::enterprises\.)
EVENT_BREAKER_ENABLE = true
LINE_BREAKER = ([\n\r\s]*SNMPv2-SMI::enterprises\.)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true

But still the above props is not working. Whether I have to put the props on both HF and indexers ? I have tried uploading the sample log file to my laptop and used that props. There it works properly, but when I put it on my Splunk test environment, it does not works. I am using Splunk version 6.6.3.

My final output should look like this, after line breaking the whole event :

SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0"
SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0"
SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0"
SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0"
....... and so on.....

Please help to resolve the issue. I am trying this since days now, but not working.

Thanks
PG

0 Karma

lakshman239
Influencer
0 Karma

pgadhari
Builder

Ya, its the same question asked by my colleague. We have already tried those settings, but still it is not working.

0 Karma

pgadhari
Builder

I opened the new question, including more details on our setup.

0 Karma

aganji
New Member

Hi, did you find answer for this problem ? i have been facing similar type of issue

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@pgadhari

Can you please try this?

[snmp_ta_dcim]
DATETIME_CONFIG=CURRENT
LINE_BREAKER=(\s)SNMPv2-SMI::enterprises

I have tried with your sample events and works for me.

alt text

pgadhari
Builder

@kamlesh_vaghela @harsmarvania57 - If you see the logs properly, the event starts with "SNMPv2-SMI::enterprises", and ends with third "space", in between there are 2 spaces.

e.g :

SNMPv2-SMI::enterprises."2011.2.281.2.1.20008.41032.1044.1.1.26.33555088.41025.22017.41032.29825" = "0"
so ideally, we need to break at the last "Space" of that event i.e. third space. I have attached the image for the event and marked the space with red where line break should occur.

https://ibb.co/cCqSsXg

How do we write the capture regex for that ?

Strange behaviour is when we export sample raw logs and upload from local manually, the suggested regex works. But when we put that on HF, it does not works. We are restarting Splunk after the change on HF.

0 Karma

pgadhari
Builder

any other settings you suggest on this, to resolve the issue ?

0 Karma

pgadhari
Builder

I tried with your settings, but not working. Still, it is coming as multi-line event 😞 .

0 Karma

harsmarvania57
Ultra Champion

Use SHOULD_LINEMERGE = false with above settings.

0 Karma

pgadhari
Builder

I have already tried that also in the settings, but still no luck on it.

0 Karma

pgadhari
Builder

I already tried that before. It works properly with the sample events on my laptop. But, when i copy it to heavy forwarder (on my server) , it doesn't seems to be working. I am suspecting that somehow, my HF is not reading that props.conf, but not sure on that ?

how can we check, whether my props.conf are getting read properly for that sourcetype.
But still I will check the above options and see whether it works or not ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...