Getting Data In

Help with parsing a cmd log file

arijitnag
New Member

==============================================
**Command: C:\cmd command - xxx..
Started at: 12/04/2017 07:03:02

Finished at: 12/04/2017 07:06:03 with code 0**

==============================================
**Command: C:\cmd command - xxx..
Started at: 12/04/2017 07:03:02

Finished at: 12/04/2017 07:06:03 with code 0**

==============================================
**Command: Command\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
Started at: 12/04/2017 07:06:03
Command output:
c:># xxxxxxxxxxxxxxxxxxx......
c:>xxxxxxxxxxxxxxxxxxxx

Finished at: 12/04/2017 07:06:25 with code 0**

==============================================
**Command: C:\cmd command - xxx..
Started at: 12/04/2017 07:06:25

Finished at: 12/04/2017 07:06:28 with code 0**

Individual log entries begin and end with a '====' separator.

Since the timestamp entries are seemless across logs, finished and new log parsing is erratic.

Tried with putting following prop.conf at $SPLUNK_HOME/system/local

[source_type]
LINE_BREAKER = [=]+
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = true
DATETIME_CONFIG = NONE
MUST_BREAK_AFTER = [=]+

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The LINE_BREAKER attribute needs a capture group to work correctly. Try LINE_BREAKER = ([=\s]+)Command: or LINE_BREAKER = ()Command:.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The LINE_BREAKER attribute needs a capture group to work correctly. Try LINE_BREAKER = ([=\s]+)Command: or LINE_BREAKER = ()Command:.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...