Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure line breaker?

sgarcia
Explorer
‎02-15-2023 12:05 PM

Hola comunidad 

I'm trying to configure the props file so that the following event starts from the third line:

sgarcia_0-1676491362546.png

Currently, I am testing as follows:

sgarcia_1-1676491426647.png

 

If I leave this setting, the timestamp of the first few lines will be taken from splunk, but it should take the timestamp of the lines with date.

Regards

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:45 PM

Hi @sgarcia,

you have to filter the first three rows using something l.ike this:

in props.conf:

[yoursourceytpe]
SHOULD_LINEMERGE = false
TRANSFORMS-removeheaderevent = setnull

in transforms.conf:

[setnull]
REGEX = ^(REPORTESDEBIT|TotalMovimientos|Id;Usuario)
DEST_KEY = queue
FORMAT = nullQueue

Please, next time, put the log samples in the Code/Sample box instead using a printscreen so we can use it to answer.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:45 PM

Hi @sgarcia,

you have to filter the first three rows using something l.ike this:

in props.conf:

[yoursourceytpe]
SHOULD_LINEMERGE = false
TRANSFORMS-removeheaderevent = setnull

in transforms.conf:

[setnull]
REGEX = ^(REPORTESDEBIT|TotalMovimientos|Id;Usuario)
DEST_KEY = queue
FORMAT = nullQueue

Please, next time, put the log samples in the Code/Sample box instead using a printscreen so we can use it to answer.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sgarcia
Explorer
‎02-17-2023 06:05 AM

REPORTESDEBITACORAGRAL;;;;;;;;;;
TotalMovimientos:;;;;;;;;;;
ID;Usuario;Fecha/Horadecaptura;Tipodeoperacion;Clave;Emisor;Receptor;MediodeEntrega;Importe;Estado;TipodeError
1675816017182;DKXMMHA;07/Feb/202318:26hrs.;Logout;FinSesionUsr.;Sindefinicion;Sindefinicion;Sindefinicion;0;OK;
1675815710949;DKXMMHA;07/Feb/202318:21hrs.;Login;Ini.SesionUsr.;Sindefinicion;Sindefinicion;Sindefinicion;0;OK;
1675814586855;SPEI;07/Feb/202318:03hrs.;AvisoTraspasoOK;2035;Sindefinicion;Sindefinicion;Sindefinicion;30,430,522.05;OK;
1675814481168;SPEI;07/Feb/202318:01hrs.;Act.delCat.Ins.;EnsesionInstituciones.;Sindefinicion;Sindefinicion;Sindefinicion;0;OK;
1675814481200;SPEI;07/Feb/202318:01hrs.;Act.delCat.Cert.;EnsesionCertificados.;Sindefinicion;Sindefinicion;Sindefinicion;0;OK;
1675814481231;SPEI;07/Feb/202318:01hrs.;Act.delCat.Nvls.;EnsesionNiveles.;Sindefinicion;Sindefinicion;Sindefinicion;0;OK;

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-17-2023 08:21 AM

Hi @sgarcia,

please try this regex:

^(REPORTESDEBITACORAGRAL|TotalMovimientos|ID;Usuario)

that you can test at https://regex101.com/r/0m8hng/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sgarcia
Explorer
‎02-17-2023 06:05 AM

Thank you, i try the configuration, and comeback as soon .

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...