Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to add two strings as line breaker options
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add two strings as line breaker options
poddraj
Explorer
11-26-2019
03:13 AM
Hi,
In my data, I have two kinds of XML.
i.e. Request & Response
I want to break the log when my starts and ends with also when starts and ends with.
Can someone help to achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poddraj
Explorer
11-28-2019
03:28 AM
Below is my sample log data.. Out of it I only want the Request & Response XML information to be indexed and other should not indexed or shouldn't be visible in my search index result
11/28 07:20:20.31 do_ta(99)5733 syncWithNS: End syncing cache with NS
11/28 07:20:20.31 fgdf(99)556 collectIORs: HostNode:[hfeihf] LastTimeIORsCollected=1574925420, cur=1574925620. Diff = -200. Min = 240. So not collecting now.
11/28 07:20:20.31 fgdf(99)556 collectIORs: HostNode:[hfeihf] LastTimeIORsCollected=1574925420, cur=1574925620. Diff = -200. Min = 240. So not collecting now.
11/28 07:20:20.31 fgdf(99)556 collectIORs: HostNode:[hfeihf] LastTimeIORsCollected=1574925420, cur=1574925620. Diff = -200. Min = 240. So not collecting now.
11/28 07:20:20.31 fgdf(99)556 collectIORs: HostNode:[hfeihf] LastTimeIORsCollected=1574925420, cur=1574925620. Diff = -200. Min = 240. So not collecting now.
11/28 07:20:20.31 fgdf(99)556 collectIORs: HostNode:[feihf] LastTimeIORsCollected=1574925420, cur=1574925620. Diff = -200. Min = 240. So not collecting now.
11/28 07:16:59.10 oraconn(9979)873 executeStmt: EXEC Stmt: [SELECT * FROM abc WHERE active=1 AND root_id='xyz' AND root_kind='fgjh' AND domain_id='1213' AND domain_kind='dfsd' AND service_id='GG' AND service_kind='gfg' AND field1='Linux']
11/28 07:16:59.11 oraconn(9979)1575 fetchResultSet: Got 0 row(s) for the query. Time taken = 0.000 sec
11/28 07:16:59.08 oraconn(9979)873 executeStmt: EXEC Stmt: [SELECT * FROM abc WHERE active=1 AND root_id='xyz' AND root_kind='fgjh' AND domain_id='1213' AND domain_kind='dfsd' AND service_id='GWRNG' AND service_kind='gfg' AND field1='Linux']
11/28 07:16:59.08 oraconn(9979)1575 fetchResultSet: Got 0 row(s) for the query. Time taken = 0.000 sec
11/27 10:42:48.49 dfd(131)10151 comd::checktest KEY: aa:A78900007-, bb:76000009, cc:VS, REQID:0,
|123H
FT
TE
DS
10-118-224-197.
V
2019-11-27T10:42:15Z
Y
Y
Y
11/28 07:20:20.31 fgdf(9979)556 collectIORs: HostNode:[DNA4-aff] LastTimeIORsCollected=1574925420, cur=1574925620. Diff = -200. Min = 240. So not collecting now.
11/28 07:16:59.10 oraconn(9979)873 executeStmt: EXEC Stmt: [SELECT * FROM abc WHERE active=1 AND root_id='xyz' AND root_kind='fgjh' AND domain_id='121' AND service_id='GNG' AND service_kind='gfg' AND field1='Linux']
11/28 07:16:59.11 oraconn(9979)1575 fetchResultSet: Got 0 row(s) for the query. Time taken = 0.000 sec
TEST
TP
DS
|535EM
10-118-224-197
25
Y
Y
Y
2019-11-19T08:30:46Z
Demand
27
73
V
GC
CA
000
C
SUCCESS
<ATTACH_NAME>TS</ATTACH_NAME>
<ATTACH_DESC>lts</ATTACH_DESC>
<ATTACH_INFO>LTS</ATTACH_INFO>
</ATTACHMENT>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-29-2019
11:40 AM
Well your data has neither the string request, nor the string response, nor any XML even remotely like that. It is impossible for anybody to help without a more clear explanation of what you need. Which line numbers should be thrown away? Which line numbers should be Event#1 and which Event#2?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-26-2019
02:19 PM
Like this:
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?:RegEx1Here)|(?:RegEx2Here))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yannK
Splunk Employee
11-26-2019
02:12 PM
Pick your sample and upload it in the Search-head UI as "add data".
Then you will have an editor to tweak your sourcetype props.conf and see the result live.
For linebreaking, read https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Configureeventlinebreaking
you probably need to put a proper regex in LINE_BREAKER for your xml format.
or if you already have a linebreaker, try to define a multiline grouping with BREAK_ONLY_BEFORE or MUST_BREAK_AFTER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-26-2019
05:20 AM
It is easy to answer if you have a sample log.
How is it?
Get Updates on the Splunk Community!
Splunk Mobile: Your Brand-New Home Screen
Meet Your New Mobile Hub
Hello Splunk Community!
Staying connected to your data—no matter where you are—is ...
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...
