Solved: How do I configure line breaking in props.conf fo...

myorkows · ‎10-28-2016

Would like the events to be split after ) --[End]--------------------$

 (0x03000000:NameValue)urn:hl7-org:v2xml:Remainder        = NULL$
        )$
      )$
    )$
  )$
)  --[End]--------------------$
--[Start]-------------------  TIME_STAMP: 2016-06-16 09:01:52.757998 --  MESSAGE_ID: 'Unknown' --  Flow: 'Messages_Received_From_CHCS_Or_TMDGReceiver' --  Milestone: 'From Ack' --  Message:  ( ['GENERICROOT' : 0x7effe100e650]$
  (0x01000000:Name):Properties = ( ['MQPROPERTYPARSER' : 0x7effe104c9d0]$
    (0x03000000:NameValue):MessageSet             = NULL$
    (0x03000000:NameValue):MessageType            = NULL$
    (0x03000000:NameValue):MessageFormat          = NULL$
    (0x03000000:NameValue):Encoding               = NULL$
    (0x03000000:NameValue):CodedCharSetId         = NULL$

skoelpin · ‎10-28-2016

Add this

[Your_SourceType]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,$3N
BREAK_ONLY_BEFORE = --\[Start]\S+

Restart your Splunk indexer SPLUNK_HOME/bin/splunk restart

View solution in original post

myorkows · ‎11-01-2016

Thanks for your quick response...this is what the events look like now after adding your changes to the props.conf.

11/1/16
12:03:19.502 AM
) -- ExceptionList: --[End]--------------------
--[Start]------------------- TIME_STAMP: 2016-11-01 00:03:19.502293 -- MESSAGE_ID: NULL -- Flow: 'crdOrdLrUpdate_FLOW' -- Milestone: 'Lab/Rad Stored Proc Success' -- Message: ( 'MQROOT' : 0x7f4524788780:Properties = ( 'MQPROPERTYPARSER' : 0x7f45248ecaa0:MessageSet = NULL
(0x03000000:NameValue):MessageType = NULL
(0x03000000:NameValue):MessageFormat = NULL
(0x03000000:NameValue):Encoding = NULL
(0x03000000:NameValue):CodedCharSetId = NULL
(0x03000000:NameValue):Transactional = NULL
(0x03000000:NameValue):Persistence = NULL
(0x03000000:NameValue):CreationTime = NULL
(0x03000000:NameValue):ExpirationTime = NULL
(0x03000000:NameValue):Priority = NULL
(0x03000000:NameValue):ReplyIdentifier = NULL
(0x03000000:NameValue):ReplyProtocol = 'MQ' (CHARACTER)
(0x03000000:NameValue):Topic = NULL
(0x03000000:NameValue):ContentType = NULL
(0x03000000:NameValue):IdentitySourceType = NULL
(0x03000000:NameValue):IdentitySourceToken = NULL
(0x03000000:NameValue):IdentitySourcePassword = NULL
(0x03000000:NameValue):IdentitySourceIssuedBy = NULL
(0x03000000:NameValue):IdentityMappedType = NULL
(0x03000000:NameValue):IdentityMappedToken = NULL
(0x03000000:NameValue):IdentityMappedPassword = NULL
(0x03000000:NameValue):IdentityMappedIssuedBy = NULL
)

Collapse
host = dev2iib1 source = /iibshare/logs/DHA_ESB_NODE_1/Tuesday.log sourcetype = iib

---I would like the events to look like this

--[Start]------------------- TIME_STAMP: 2016-11-01 00:03:19.502293 -- MESSAGE_ID: NULL -- Flow: 'crdOrdLrUpdate_FLOW
1 stuff
2 stuff
3 stuff
ExceptionList: --[End]--------------

Thanks so much for all your help!

skoelpin · ‎11-01-2016

Whoops. I edited my answer to the correct configuration, try pasting the updated answer into your props.conf and restart.. This should work

skoelpin · ‎10-28-2016

Add this

[Your_SourceType]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,$3N
BREAK_ONLY_BEFORE = --\[Start]\S+

Restart your Splunk indexer SPLUNK_HOME/bin/splunk restart

myorkows · ‎11-01-2016

THANKS!!!...that worked!

myorkows · ‎11-01-2016

Sorry I can't award any points...must be too new.

skoelpin · ‎11-01-2016

That's ok, you could upvote the answer which gives me points if you feel like its worth it

myorkows · ‎11-01-2016

Okay...just did ...Thanks again!

How do I configure line breaking in props.conf for my sample log file?

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!