Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure Splunk to break events that start...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngeorgieff
New Member
08-31-2016
05:44 PM
I have the logs like below pattern. I want to break the events that starts with <94>1and then timestamp
<94>1 2016-08-31T17:31:25.633-07:00 hostname-1-p02.domain.com GAMFT - FTP Audit Log [gamft-ftp@46583 event_type="Connection Successful" remote_ip="10.0.203.75" severity="I" start_time="8/31/16 5:31:25 PM" end_time="8/31/16 5:31:25 PM" local_ip="10.11.215.194" local_port="8021" command="Connect" time_taken="14" remarks="Connection established" system_name="hostname-1-p02"]<94>1 2016-08-31T17:31:29.166-07:00 hostname-1-p02.domain.com GAMFT - FTP Audit Log [gamft-ftp@46583 event_type="Login Successful" remote_ip="10.0.203.75" user_name="splunk_test" severity="I" start_time="8/31/16 5:31:29 PM" end_time="8/31/16 5:31:29 PM" local_ip="10.11.215.194" local_port="8021" command="Login" time_taken="68" remarks="230 User logged in, proceed." system_name="hostname-1-p02" domain="Infrastructure Services"]<94>1 2016-08-31T17:31:31.402-07:00 hostname-1-p02.domain.com GAMFT - FTP Audit Log [gamft-ftp@46583 event_type="Logout" remote_ip="10.0.203.75" user_name="splunk_test" severity="I" start_time="8/31/16 5:31:31 PM" end_time="8/31/16 5:31:31 PM" local_ip="0.0.0.0" local_port="8021" command="Logout" time_taken="10" remarks="221 Goodbye." system_name="hostname-1-p02" domain="Infrastructure Services"]<94>1 2016-08-31T17:31:31.414-07:00 hostname-1-p02.domain.com GAMFT - FTP Audit Log [gamft-ftp@46583 event_type="Disconnect" remote_ip="10.0.203.75" user_name="splunk_test" severity="I" start_time="8/31/16 5:31:31 PM" end_time="8/31/16 5:31:31 PM" local_ip="0.0.0.0" local_port="8021" command="Disconnect" time_taken="8" remarks="Disconnected" system_name="hostname-1-p02" domain="Infrastructure Services"]
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vprisiajni_splu
Splunk Employee
09-14-2016
02:54 PM
In my test with these sample events, the following seemed to work:
LINE_BREAKER = (<94>1)(\s)
SHOULD_LINEMERGE = false
Explanation from our props.conf docs:
- The regex must contain a capturing group -- a pair of parentheses which defines an identified subcomponent of the match.
- Wherever the regex matches, Splunk considers the start of the first capturing group to be the end of the previous event, and considers the end of the first capturing group to be the start of the next event.
- The contents of the first capturing group are discarded, and will not be present in any event. You are telling Splunk that this text comes between lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vprisiajni_splu
Splunk Employee
09-14-2016
02:54 PM
In my test with these sample events, the following seemed to work:
LINE_BREAKER = (<94>1)(\s)
SHOULD_LINEMERGE = false
Explanation from our props.conf docs:
- The regex must contain a capturing group -- a pair of parentheses which defines an identified subcomponent of the match.
- Wherever the regex matches, Splunk considers the start of the first capturing group to be the end of the previous event, and considers the end of the first capturing group to be the start of the next event.
- The contents of the first capturing group are discarded, and will not be present in any event. You are telling Splunk that this text comes between lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngeorgieff
New Member
09-14-2016
03:40 PM
It works. Thank you very much for your help and explanation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
08-31-2016
08:00 PM
A place to investigate it at Configure event line breaking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngeorgieff
New Member
09-01-2016
12:19 PM
I've tried with LB regex, data prefix but none worked for me.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...
They're back! Join the SplunkTrust and MVP at .conf24
With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...
Enterprise Security Content Update (ESCU) | New Releases
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...
