Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I line break this data source?

BlakeDC
New Member
‎05-13-2016 04:19 PM 
ComputerTarget=EDITED; NeededCount=31; DownloadedCount=0; NotApplicableCount=82225; NotInstalledCount=31; InstalledCount=32; FailedCount=0
ComputerTarget=EDITED; NeededCount=202; DownloadedCount=0; NotApplicableCount=81555; NotInstalledCount=202; InstalledCount=154; FailedCount=0
ComputerTarget=EDITED; NeededCount=203; DownloadedCount=0; NotApplicableCount=81921; NotInstalledCount=203; InstalledCount=156; FailedCount=0

This is my data source. I have it setup in props.conf to linebreak after FailedCount=####### but it doesn't seem to be working (data never reaches Splunk unless I remove the props settings).

Here's my props:

[NeededCount]
CHARSET = UTF-16LE
is_valid = True
SHOULD_LINEMERGE = True
MUST_BREAK_AFTER = (FailedCount=\d{1,10})

I need help in making sure it'll break after that failedcount=#### so that each line shows up in Splunk as its own event and not just a giant event of 130+ lines.

Tags (2)
0 Karma
Reply

mosman_splunk
Splunk Employee
Splunk Employee
‎05-13-2016 06:23 PM

LINE_BREAKER=(FailedCount=\d+)\s+ComputerTarget
SHOULD_LINEMERGE = false

Good luck

0 Karma
Reply

ltawfall
Path Finder
‎05-13-2016 04:52 PM

Does the file have newlines?

LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE = false

generally works.

0 Karma
Reply

BlakeDC
New Member
‎05-13-2016 06:01 PM

It's a powershell output to a file. It's basically all the lines at once.

I've tried to default which you pasted above but when I do that no data is showing up in splunk 😞

0 Karma
Reply

BlakeDC
New Member
‎05-13-2016 06:21 PM

I added a "`n" to the end of the output file so each line now has a hard break inserted. It shows up now but it's still just one single event instead of an event for each line 😞

It basically thinks I have 300 fields in this log and I can't parse!

0 Karma
Reply

ltawfall
Path Finder
‎05-16-2016 11:38 AM

bah.. I need to actual output file to to get this correctly. I've had to do a lot of weird line parsing lately, so it's fresh in the brain.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...