- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: linebreak on expression passed into log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to do a linebreak on "CIB" being passed into log. (I know, these logs are awful) Having problems breaking on the CIB expression though. Any suggestions? Splunk wants to break on OFX
SHOULD_LINEMERGE=false
LINE_BREAKER=(^(?P\w+\s+))
TZ=America/Chicago
Log Format:
CIB 2019-05-06 09:07:30,839] [THREAD: iner : 17] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines
20190506090730.831 19640191 ctaxnqidzgkzuete1557133644150B1732PK0400 ENG 426 051900395 CIB 0200 Y PROD -2b777cc0:16a8c453ac4:-2a0a 051900395 87836273 CHECKING 20190506 20190506 Y Y
20190506090730.796 13927199 wlipfswymcgvelcy1557133638179B1182PK0400 ENG 642 071901604 CIB 0200 Y PROD -12f8b87f:16a8c39e671:-e19 071901604 3332930001 CHECKING 20190506 20190506 Y Y
CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.981_5323260_zoadfefhnclstbhc1557151644827B2797PK0900 user: null is authorized
CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Inside New Parser processing
CIB 2019-05-06 09:07:30,885] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
Show all 12 lines
CIB 2019-05-06 09:07:30,723] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.981_5323260_zoadfefhnclstbhc1557151644827B2797PK0900 OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines
20190506090730.708 9866661 vfhntpuabsayykui1557133650682B1172PK0400 ENG 774 084201294 CIB 0200 Y PROD -12f8b87f:16a8c39e671:-e1b 19990101 Y Y N Y Y
20190506090730.670 11761432 zhecbsmbwliobrgk1557133646660B2948PK0400 ENG 144 111102758 CIB 0200 Y PROD -125ceb71:16a8c6053a2:-7e56 TRHST 500 111102758 261503081 CHECKING 20190410 20190506 Y
20190506090730.647 8480130 yxsidmahmlailtri1557133622247B2718PK0400 ENG 448 325081306 CIB 0200 Y PROD -125ceb71:16a8c6053a2:-7e5a ESP 20180406 20190506 2000510-1 LOAN
20190506090730.639 8964814 ooaxvqjugedktndw1557133650611B2878PK0400 ENG 092 211871691 CIB 0200 Y PROD -12f8b87f:16a8c39e671:-e1f 19990101 Y Y N Y
20190506090730.633 8437258 yqfixwpbmjyuxycs1557133650578B2585PK0400 ENG 158 071925567 CIB 0200 Y PROD 4c4e9ea8:16a8bfa5cde:-68b2 19990101 Y Y N Y
20190506090730.621 9516145 oaergmlhxnraymbb1557133647475B2893PK0400 ENG 446 096010415 CIB 0200 Y PROD -492b898c:16a8a6f9bd4:4ba5 TRHST 500 096010415 69833115 SAVINGS 20190429 20190506 Y
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't test, but maybe something like this:
LINE_BREAKER = ([\r\n]+)(?=CIB\s+\d{4}\-\d{2}\-\d{2})
In general i typically include the line breakers in the capture group followed by the thing that starts each event in a positive lookahead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't test, but maybe something like this:
LINE_BREAKER = ([\r\n]+)(?=CIB\s+\d{4}\-\d{2}\-\d{2})
In general i typically include the line breakers in the capture group followed by the thing that starts each event in a positive lookahead.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
