Getting Data In
Highlighted

After upgrade to 4.2 the Events from Windows Eventslogs are partially not working, lines broken at random positions

Splunk Employee
Splunk Employee
Highlighted

Re: After upgrade to 4.2 the Events from Windows Eventslogs are partially not working, lines broken at random positions

Splunk Employee
Splunk Employee

In Splunk 4.1.x the LINE_BREAKER setting for the stanza [source::WinEventLog...] in the config $SPLUNK_HOME/etc/system/default/props.conf has been set to:

LINE_BREAKER =([\r\n](?=\d\d/\d\d/\d\d \d\d:\d\d:\d\d [aApPmM]{2}))

this changed to the following in 4.2:

LINE_BREAKER =([\r\n](?=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

Workaround:

LINE_BREAKER =([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

View solution in original post

Highlighted

Re: After upgrade to 4.2 the Events from Windows Eventslogs are partially not working, lines broken at random positions

Splunk Employee
Splunk Employee

This known issue (SPL-38325) and targeted for a fix in 4.2.1

Highlighted

Re: After upgrade to 4.2 the Events from Windows Eventslogs are partially not working, lines broken at random positions

Path Finder

We tried both and we continued to get events collated into bigger splunk events - i.e. 1 big splunk event that contains a random number of windows events together with no spacing between them. So no splitting on the time/date field.

However we found a solution with the help of a splunk tech, Guillaume:

I used the shotgun method of creating a props.conf in /etc/system/local
With: [source::WinEventLog:Application] LINE_BREAKER=([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) SHOULD_LINEMERGE=false

[source::WinEventLog:System] LINE_BREAKER=([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) SHOULD_LINEMERGE=false

[source::WinEventLog:...] LINE_BREAKER=([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2})) SHOULD_LINEMERGE=false

It works for system and application but not for WinEventLog:Directory Service and WinEventLog:DNS Server – so I presume the globbing ability of the ellipsis isn't grokked by the Splunk engine anymore too? (I apologise - it has been a long day).

Anyway - this should hold people until the patch.

0 Karma