Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use the parameters "BREAK_ONLY_BEFORE=\d+:\d+\d+" and "BREAK_ONLY_BEFORE_DATE=true" together in the same props.conf?

Madhan45
Path Finder
‎01-07-2016 02:21 AM

Can I use these two lines in a single props.conf? Will it work?

BREAK_ONLY_BEFORE=\d+:\d+\d+
BREAK_ONLY_BEFORE_DATE=true
0 Karma
Reply

lguinn2
Legend
‎01-07-2016 11:50 AM

You cannot have both of these lines for a single input. Splunk will use one of them, but ignore the other. There will probably be a message in splunkd.log but that will be the only indication of the problem - except for the fact that your events will not break the way you want!

Like @sdaniels, I wonder if this level of complexity is really necessary. But, if it is necessary, you will need to write a single regular expression that will match either the date OR the pattern.

0 Karma
Reply

Madhan45
Path Finder
‎01-08-2016 02:51 AM

okay time_before_close=180 leads to break event?

0 Karma
Reply

alemarzu
Motivator
‎01-08-2016 04:43 AM

Madhan45,

Sample data please.

Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-07-2016 03:18 AM

My first question is why would this be necessary for your data set? You should only need to use one of them and i've personally not encountered a case where you'd need multiple of these when SHOULD_LINEMERGE is set to true. There is nothing in the docs that says it won't work but i'm assuming you aren't getting the desired results. Can you share what your data looks like if this is the case?

0 Karma
Reply

Madhan45
Path Finder
‎01-07-2016 05:08 AM

assume that below is my log:
<2016/01/06> Is restart required after making changes to Props.conf and Transforms.conf.
To not index the Current Date when indexing

I have added in my transforms.conf to ignore. But in this entire event it is ignoring only first two lines. It is not ignoring the third line "

0 Karma
Reply

Madhan45
Path Finder
‎01-07-2016 10:24 PM

okay, "time_before_close=20" in inputs.conf will leads to break events??

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-07-2016 06:16 AM

You'll find details on whether you need to restart here...it depends for props and tranforms. Anything search time processing related does not need a restart. http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Configurationfilechangesthatrequirerestart. I do not see your log file entries above.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...