Getting Data In

Events Formatting

blbr123
Path Finder

Hi All,

I have a scripted input which gets Data from a URL and send it to Splunk.

But now I have issue with event Formatting, Actual website data I am ingesting is as shown below:

##### BEGIN STATUS #####

#LAST UPDATE  :  Tue,  28  Nov  2023  11:00:16  +0000

Abcstatus.status=ok

Abcstatus.lastupdate=17xxxxxxxx555

 

 

###  ServiceStatus  ###

xxxxx

xxxxxx

xxxx

###  SystemStatus  ###

XXXX'

XXXX

 

###  xyxStatus  ###

XXX

XXX

XXX

.

.

.

.

So on....

 

But in splunk below lines are coming as a seperate events instead of being part of one complete event:

##### FIRST STATUS #####  - is coming as seperate event

Abcstatus.status=ok  - this is also coming as a separate event

 

Below all events coming as one event which is correct and the above two lines should also be part of this one event:

Abcstatus.lastupdate=17xxxxxxxx555

###  ServiceStatus  ###

xxxxx

xxxxxx

xxxx

###  SystemStatus  ###

.

.

.

So on....

#####   END STATUS  #####

 

Below is my props:

DATETIME_CONFIG = CURRENT

SHOULD_LINEMERGE=TRUE

BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5}

MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5}

TIME_PREFIX=^#\w+\s\w+\w+\s:\s

MAX_TIMESTAMP_LOOKAHEAD=200

 

Can you please help me with the issue?

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If DATETIME_CONFIG is set to CURRENT then there is no need for the TIME_PREFIX or MAX_TIMESTAMP_LOOKAHEAD settings.

The regexes do not match the sample data - the regex expects too many spaces.  Also, there is no BREAK_ONLY_AFTER setting.  Perhaps you mean MUST_BREAK_AFTER.  Try these settings.

DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = TRUE
MUST_BREAK_AFTER = [\r\n]+#{5}\s+END\sSTATUS\s+\#{5}

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

blbr123
Path Finder

I tried the props settings you suggested but still same issue.

 

######   BEGIN STATUS   ##### is coming as a separate event.

#LAST UPDATE : Wed, 29 Nov 2023 10:39:57 +0000 GlobalStatus.status=OK  , this is also coming as a separate event 

Both these events should come under one event.

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...