Solved: “Create Source Type” inquiry

RK_sp1unk · ‎01-22-2020

“Create Source Type” inquiry.

We want to create a new sourcetype that break events based a word orderActivityRep { and the event ends with }.

How to do it

The logs arrive to Splunk in this format: Example:

orderActivityRep {
secBoardId {
securityIdType void,
secCode "GFH",
boardId "REGULAR"
},
orderId {
orderDate 20190731,
orderNo 9999,
orderNoSuffix 0,
speedIndex -1
},
orderStatus unplaced,
orderEvent place,
buySell sell,
quantity {
value 20000,
decimals 0
},
duration goodTillCancelled,
}

orderActivityRep {
secBoardId {
securityIdType void,
secCode "NBB",
boardId "REGULAR"
},
orderId {
orderDate 20120111,
orderNo 9999,
orderNoSuffix 0,
speedIndex -1
},
orderStatus unplaced,
orderEvent place,
buySell sell,
quantity {
value 2001,
decimals 0
},
duration goodTillCancelled,
}

In the above example Splunk should create 2 events.

gcusello · ‎01-23-2020

Hi @RK_sp1unk,
you should use a props.conf like this:

[your_sourcetype]
SHOULD_LINEMERGE = true
LINE_BREAKER = orderActivityRep \{
TIME_PREFIX = orderDate\s
TIME_FORMAT = %Y%m%d

Ciao.
Giuseppe

View solution in original post

gcusello · ‎01-23-2020

Hi @RK_sp1unk,
you should use a props.conf like this:

[your_sourcetype]
SHOULD_LINEMERGE = true
LINE_BREAKER = orderActivityRep \{
TIME_PREFIX = orderDate\s
TIME_FORMAT = %Y%m%d

Ciao.
Giuseppe

“Create Source Type” inquiry

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All