Archive

props.conf multi line log parsing

karakutu
Path Finder

i have multi line log and i want to split it line by line

i do following props.conf configaration:

[df]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MUST_BREAK_AFTER = ([\n]+)

i set it in application default directory and also in /opt/splunk/etc/system/local/props.conf

it doesnt work

log example:

Filesystem                                          Type              Size        Used       Avail      UsePct    MountedOn
udev                                                devtmpfs           10M           0         10M          0%    /dev
/dev/dm-0                                           ext4               95G        6.5G         84G          8%    /
/dev/fuse                                           fuse               30M         44K         30M          1%    /etc/pve
/dev/sdb1                                           xfs               927G        285G        642G         31%    /var/lib/ceph/osd/ceph-3
/dev/sdc1                                           xfs               927G        292G        635G         32%    /var/lib/ceph/osd/ceph-4
/dev/sdd1                                           xfs               927G        312G        615G         34%    /var/lib/ceph/osd/ceph-5
10. :/BACKUP                                nfs               3.6T        2.9T        756G         80%    /mnt/pve/backup
Tags (1)
0 Karma
1 Solution

karakutu
Path Finder

after i restart the splunk its work.

i think line break doenst work if we set propf.conf in the app default directory

View solution in original post

0 Karma

karakutu
Path Finder

after i restart the splunk its work.

i think line break doenst work if we set propf.conf in the app default directory

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you do .conf changes while Splunk is running, Splunk ignores them until it's told "I'm done editing, go use this now" - most obvious way is a restart.

Line breaking in etc/apps/some_name/default works well, else no TA off splunkbase could ever do line breaking.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!