Getting Data In

BREAK_ONLY_BEFORE works but LINE_BREAKER automatically added

Azwaliyana
Path Finder

Can I configure BREAK_ONLY_BEFORE  with this regex:

##################################################################|(pg-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(ss7-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(ss7-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(da-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(da-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(fs-3 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(fs-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(fs-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(om-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(pg-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(om-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(mms-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(mms-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)

and SHOULD_LINEMERGE to true?

My problem is , when I configure this, Splunk automatically added the regex that I have specified in BREAK_ONLY_BEFORE as LINE_BREAKER. So the result is not what I want. I want to keep the regex specified in the event. I do not want the LINE_BREAKER because it will remove the regex specified. Does anyone know what I should do for this?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I presume you're using the GUI to make these settings.  Have you tried editing the props.conf file directly?

The LINE_BREAKER attribute discards the contents of the first capture group, which can be empty.  Therefore, this should be equivalent to your BREAK_ONLY_BEFORE setting:

()##################################################################|(pg-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(ss7-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(ss7-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(da-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(da-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(fs-3 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(fs-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(fs-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(om-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(pg-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(om-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(mms-1 \| [a-zA-Z0-9._%-]* \| rc=0 >>)|(mms-2 \| [a-zA-Z0-9._%-]* \| rc=0 >>)
---
If this reply helps you, Karma would be appreciated.
0 Karma

Azwaliyana
Path Finder

Do you know where is the props.conf? I have tried to find it but I failed to find it.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There should be more than one props.conf file on most systems.  One of them is always $SPLUNK_HOME/etc/system/default/props.conf, but it must NEVER be modified.

Other props.conf files can be in $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/*/default or $SPLUNK_HOME/etc/apps/*/local.  There are other locations for deployment servers and for SH and indexer clusters.  The location that is right for you depends on your architecture and the instance that is to load the file.

One way to find an existing props.conf file is with btool.  Run this command

splunk btool --debug props list | grep LINE_BREAKER

The --debug option shows the name of the file the setting came from and grep is used to make the output less verbose.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Azwaliyana
Path Finder

Why it said the command not found?

fortinet.PNG

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The command "splunk" was not found in your $PATH setting.  Either update $PATH or qualify the command.

export PATH=$PATH:/opt/splunk/bin
/opt/splunk/bin/splunk btool --debug props list | grep LINE_BREAKER

This is not unique to Splunk, but the way the OS works.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...