Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Help with parsing a cmd log file

arijitnag
New Member
‎12-05-2017 02:59 AM

==============================================
**Command: C:\cmd command - xxx..
Started at: 12/04/2017 07:03:02

Finished at: 12/04/2017 07:06:03 with code 0**

==============================================
**Command: C:\cmd command - xxx..
Started at: 12/04/2017 07:03:02

Finished at: 12/04/2017 07:06:03 with code 0**

==============================================
**Command: Command\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
Started at: 12/04/2017 07:06:03
Command output:
c:># xxxxxxxxxxxxxxxxxxx......
c:>xxxxxxxxxxxxxxxxxxxx

Finished at: 12/04/2017 07:06:25 with code 0**

==============================================
**Command: C:\cmd command - xxx..
Started at: 12/04/2017 07:06:25

Finished at: 12/04/2017 07:06:28 with code 0**

Individual log entries begin and end with a '====' separator.

Since the timestamp entries are seemless across logs, finished and new log parsing is erratic.

Tried with putting following prop.conf at $SPLUNK_HOME/system/local

[sourcetype]
LINEBREAKER = [=]+
BREAKONLYBEFOREDATE = false
SHOULDLINEMERGE = true
DATETIMECONFIG = NONE
MUSTBREAK_AFTER = [=]+

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Help with parsing a cmd log file

richgalloway
SplunkTrust
SplunkTrust
‎12-05-2017 06:29 AM

The LINE_BREAKER attribute needs a capture group to work correctly. Try LINE_BREAKER = ([=\s]+)Command: or LINE_BREAKER = ()Command:.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Reply