Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrade to 4.2 the Events from Windows Eventslogs are partially not working, lines broken at random positions

zliu
Splunk Employee
Splunk Employee
‎03-25-2011 08:57 PM

screenshot

Reply
1 Solution
Solved! Jump to solution
Solution

zliu
Splunk Employee
Splunk Employee
‎03-25-2011 09:07 PM

In Splunk 4.1.x the LINE_BREAKER setting for the stanza [source::WinEventLog...] in the config $SPLUNK_HOME/etc/system/default/props.conf has been set to:

LINE_BREAKER =([\r\n](?=\d\d/\d\d/\d\d \d\d:\d\d:\d\d [aApPmM]{2}))

this changed to the following in 4.2:

LINE_BREAKER =([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

Workaround:

LINE_BREAKER =([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

View solution in original post

Reply
Solved! Jump to solution

matthewhaswell
Path Finder
‎04-01-2011 03:51 PM

We tried both and we continued to get events collated into bigger splunk events - i.e. 1 big splunk event that contains a random number of windows events together with no spacing between them. So no splitting on the time/date field.

However we found a solution with the help of a splunk tech, Guillaume:

I used the shotgun method of creating a props.conf in /etc/system/local
With: [source::WinEventLog:Application] LINE_BREAKER=([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) SHOULD_LINEMERGE=false

[source::WinEventLog:System] LINE_BREAKER=([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) SHOULD_LINEMERGE=false

[source::WinEventLog:...] LINE_BREAKER=([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) SHOULD_LINEMERGE=false

It works for system and application but not for WinEventLog:Directory Service and WinEventLog:DNS Server – so I presume the globbing ability of the ellipsis isn't grokked by the Splunk engine anymore too? (I apologise - it has been a long day).

Anyway - this should hold people until the patch.

0 Karma
Reply
Solved! Jump to solution
Solution

zliu
Splunk Employee
Splunk Employee
‎03-25-2011 09:07 PM

In Splunk 4.1.x the LINE_BREAKER setting for the stanza [source::WinEventLog...] in the config $SPLUNK_HOME/etc/system/default/props.conf has been set to:

LINE_BREAKER =([\r\n](?=\d\d/\d\d/\d\d \d\d:\d\d:\d\d [aApPmM]{2}))

this changed to the following in 4.2:

LINE_BREAKER =([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

Workaround:

LINE_BREAKER =([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

Reply
Solved! Jump to solution

Ellen
Splunk Employee
Splunk Employee
‎03-31-2011 08:29 PM

This known issue (SPL-38325) and targeted for a fix in 4.2.1

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...