Trying to break events and can't figure this one out. I receive a bunch of events in a single line, I want to break them using a pattern but it's not working for me. I'm using the Add data screen. Events should break when encountering
I've tried BREAKONLYBEFORE, LINE_BREAKER - nothing makes the event break. What am I doing wrong?
Sample of the log below:
<162>Mar 11 21:45:03 MACHINE CEF:0|PowerTech|Interact|3.1|TCA0001|The bytestream file *N/*N /Help Systems/Robot SCHEDULE ENTERPRISE/tmp/s7472_6859175.sz authority has been changed for user profile *PUBLIC.|2|src=X.X.X.X dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:ENTSERVER1 JUSER:RBTENTUSR JNBR:171392 PGM:QLESPI OBJECT: LIBRARY: MEMBER: DETAIL:A *N *N *STMF *PUBLIC Y Y Y Y Y RPL 0000 00000 * * *NA *NA<162>Mar 11 21:45:03 MACHINE CEF:0|PowerTech|Interact|3.1|TCA0001|The bytestream file *N/*N /Help Systems/Robot SCHEDULE ENTERPRISE/tmp/s7472_6859175.sz authority has been changed for user profile RBTENTUSR.|2|src=X.X.X.X dst=0.0.0.0 msg=TYPE:JRN CLS:AUD JJOB:ENTSERVER1 JUSER:RBTENTUSR JNBR:171392 PGM:QLESPI OBJECT: LIBRARY: MEMBER: DETAIL:A *N *N *STMF RBTENTUSR Y Y Y Y Y Y Y Y Y RPL 0000 00000 * * *NA *NA
props.conf on the parsing Splunk instance, and restart Splunk after the change:
[YourSourcetypeNameHere] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true CHARSET=UTF-8 LINE_BREAKER=([\r\n]+)\<162\>|\s\*NA\s\*NA(.*)\< TIME_PREFIX=\<162\>
Hope that helps ...
Took this to slack and got more details, like it is a TCP input and the events actually do not contain
*NA. After some tries this line breaker worked just fine:
The response of the OP was awesome, and I want to share it:
I appreciate the help. But it's not working for me. I still get most events wrapped in Splunk as a single event. I've done exactly what you suggested - no luck.
take a file that contains the events, use the
Add Data page http://docs.splunk.com/Documentation/Splunk/latest/Data/Howdoyouwanttoadddata and add the file. On the next screen use the advanced settings and add all the options from the above
props.conf click apply and you see it works 😉
Reasons why it does not work for you:
props.confon the parsing Splunk instance, that is either a heavy weight forwarder or an indexer
props.confdoes not match your sourcetype, eq typo? what for Cases in the sourcetype!
props.confwill only work on new events
Hope this helps ...
Tried all of that - not working for me. It just doesn't split all the events like I thought it would. I still see multiple <162> tag inside a single Splunk event.
It's the first time I'm stuck like this. I'm usually pretty good at this and been using the tool for 2 years.
Have you tried with Add Data page with the sample data in my first post? Is it working for you?
Yep, used your provided examples, copied multiple lines into a file and used the
Add Data page to create the
Ok good. You mentionned multiple lines - make sure there's no LF or CR anywhere - what if all these multiple "lines" are just one big mess of characters, just one big line with multiple
<162> - is it working then?