How to create a props.conf for a app log?

sathiyasun · ‎08-15-2022

how to create a props.conf for the below data..Need to break the line from ### endwith

########################################

20220815.011001: =========================
20220815.011001: Cron dummy started by dummy1.
20220815.011001: =========================
20220815.011002: 20220815.011001: Checking processes on Prod SEATTLE server seat1
20220815.011001: 3 critical processes run on seat1
20220815.011001: 1 non-critical processes run on seat1
20220815.011001: 208 processes are now running on seat1
20220815.011001: 10 processes owned by dummy1
20220815.011001: SEATTLE Authentication_Process is running (581).
20220815.011001: SEATTLE is running (1709).
20220815.011001: PS Pmeter_Server is running (1886).
20220815.011002: PS Pmeter_Server is running (2000).
20220815.011002: All critical processes are running.
20220815.011002: =========================
20220815.011002: dummy complete.
20220815.011002: =========================
20220815.011501:

gcusello · ‎08-16-2022

Hi @sathiyasun,

you have a timestamp for each row, so you could also use this time stamp.

Anyway, as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf you could use:

[your_sourcetype]
SHOULD_LINEMERGE = true
LINE_BREAKER = \d{8}\.\d{6}:\sCron\sdummy\sstarted\sby

Ciao.

Giuseppe

How to create a props.conf for a app log?

props.conf

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms