Archive
Highlighted

linebreak on expression passed into log

Communicator

Trying to do a linebreak on "CIB" being passed into log. (I know, these logs are awful) Having problems breaking on the CIB expression though. Any suggestions? Splunk wants to break on OFX

SHOULDLINEMERGE=false
LINE
BREAKER=(^(?P\w+\s+))
TZ=America/Chicago

Log Format:

CIB 2019-05-06 09:07:30,839] [THREAD: iner : 17] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines

                   20190506090730.831         19640191         ctaxnqidzgkzuete1557133644150B1732PK0400         ENG                    426           051900395                  CIB         0200         Y         PROD                                 -2b777cc0:16a8c453ac4:-2a0a                                 051900395             87836273             CHECKING                                   20190506             20190506             Y             Y                                   

                   20190506090730.796         13927199         wlipfswymcgvelcy1557133638179B1182PK0400         ENG                    642           071901604                  CIB         0200         Y         PROD                                 -12f8b87f:16a8c39e671:-e19                                 071901604             3332930001             CHECKING                                   20190506             20190506             Y             Y                                   

CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.9815323260zoadfefhnclstbhc1557151644827B2797PK0900 user: null is authorized
CIB 2019-05-06 09:07:30,724] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Inside New Parser processing
CIB 2019-05-06 09:07:30,885] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: OFXHEADER:100
DATA:OFXSGML
VERSION:151
Show all 12 lines

CIB 2019-05-06 09:07:30,723] [THREAD: iner : 40] com.ffusion.ffs.ofx.servlets.OFXServlet - Mon May 06 09:07:30 CDT 2019: OFXServlet: RQID:20190506140725.9815323260zoadfefhnclstbhc1557151644827B2797PK0900 OFXHEADER:100
DATA:OFXSGML
VERSION:151
SECURITY:NONE
ENCODING:USASCII
Show all 9 lines

                   20190506090730.708         9866661         vfhntpuabsayykui1557133650682B1172PK0400         ENG                    774           084201294                  CIB         0200         Y         PROD                                 -12f8b87f:16a8c39e671:-e1b                    19990101           Y           Y           N           Y           Y                        

                   20190506090730.670         11761432         zhecbsmbwliobrgk1557133646660B2948PK0400         ENG                    144           111102758                  CIB         0200         Y         PROD                                 -125ceb71:16a8c6053a2:-7e56         TRHST         500                                 111102758             261503081             CHECKING                                   20190410             20190506             Y                                   

                   20190506090730.647         8480130         yxsidmahmlailtri1557133622247B2718PK0400         ENG                    448           325081306                  CIB         0200         Y         PROD                                 -125ceb71:16a8c6053a2:-7e5a         ESP                    20180406           20190506                        2000510-1             LOAN                                   

                   20190506090730.639         8964814         ooaxvqjugedktndw1557133650611B2878PK0400         ENG                    092           211871691                  CIB         0200         Y         PROD                                 -12f8b87f:16a8c39e671:-e1f                    19990101           Y           Y           N           Y                        

                   20190506090730.633         8437258         yqfixwpbmjyuxycs1557133650578B2585PK0400         ENG                    158           071925567                  CIB         0200         Y         PROD                                 4c4e9ea8:16a8bfa5cde:-68b2                    19990101           Y           Y           N           Y                        

                   20190506090730.621         9516145         oaergmlhxnraymbb1557133647475B2893PK0400         ENG                    446           096010415                  CIB         0200         Y         PROD                                 -492b898c:16a8a6f9bd4:4ba5         TRHST         500                                 096010415             69833115             SAVINGS                                   20190429             20190506             Y                                   
0 Karma
Highlighted

Re: linebreak on expression passed into log

Champion

Didn't test, but maybe something like this:

LINE_BREAKER = ([\r\n]+)(?=CIB\s+\d{4}\-\d{2}\-\d{2})

In general i typically include the line breakers in the capture group followed by the thing that starts each event in a positive lookahead.

View solution in original post