Solved: Help with Line Break for log - Splunk Community

Getting Data In

04/19/18 12:32:17.398524 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Hos
tLoanExists).DATETIME(4/19/2018 12:32:17 PM)~A0~BLMS~DCARD~F??????????????~HL
OAN~JID=ALL

04/19/18 12:32:17.398907 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(H
ostLoanExists).DATETIME(4/19/2018 12:32:17 PM)~K1:SymConnect is off host

04/19/18 12:33:26.915422 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Ho
stLoanExists).DATETIME(4/19/2018 12:33:26 PM)~A0~BLMS~DCARD~F??????????????~H
LOAN~JID=ALL

04/19/18 12:33:26.930871 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(
HostLoanExists).DATETIME(4/19/2018 12:33:26 PM)~K0~JID=01~JID=02~JID=03~JID=0
4~JID=05~JID=06~JID=07~JID=08~JID=09~JID=10~JID=80~JID=81~JID=82

04/19/18 12:33:39.309465 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Hos
tLoanExists).DATETIME(4/19/2018 12:33:39 PM)~A0~BLMS~DCARD~F??????????????~HL
OAN~JID=ALL

04/19/18 12:33:39.310146 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(H
ostLoanExists).DATETIME(4/19/2018 12:33:39 PM)~K0~JID=01~JID=02~JID=80~JID=81

04/19/18 12:34:05.371520 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Hos
tLoanExists).DATETIME(4/19/2018 12:34:05 PM)~A0~BLMS~DCARD~F??????????????~HL
OAN~JID=ALL

04/19/18 12:34:05.372184 - RSIQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(H
ostLoanExists).DATETIME(4/19/2018 12:34:05 PM)~K0~JID=80

04/19/18 12:34:57.811784 - IQ~MSG.ACCTNUM(XXXX).FUNCTION(Inquiry).CALLER(Host
LoanExists).DATETIME(4/19/2018 12:34:57 PM)~A0~BLMS~DCARD~F??????????????~HLO
AN~JID=ALL

A new entry always begin with 00/00/00

What would the line_break be for my props?

1 Solution

Solution

Try this (props.conf on your indexer/heavy forwarder)

[yoursourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\d+\/\d+\s\d+\:)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%y %H:%M:%S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

View solution in original post

works like a charm! Thank you!!!

Solution

Try this (props.conf on your indexer/heavy forwarder)

[yoursourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\d+\/\d+\s\d+\:)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%y %H:%M:%S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

View solution in original post

never-displayed

Additional options

Associated Products