Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to line break at indent

bah5663_98
Explorer
‎07-10-2019 10:53 AM

I'm trying to split log4j Java exceptions. I need to split a large event into smaller events where an indent does not occur, except when there is a "caused by" clause. I know that I need to edit line_breaker in props.conf, but am not sure of the regex syntax.

So basically I need to know how to break at an indented line, but not one that is indented, with the exception being "Caused by". 

com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:394) | 2019-07-05 03:07:25,692 | ERROR | Business object has no signature 'GoToSucceded'
    at matrix.db.BusinessObject.rejectSignature(BusinessObject.java:2656)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:361)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:65)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source
Business object has no signature 'GoToSucceded'
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:71)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source)
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:315)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:65)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.Exception: Error Message: STEP validation fails for one or more STEP files checked-in to the derived format
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.checkAndReleaseDerivedFormat(StepValidationBatch.java:439)
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.processSTEPFilesValidation(StepValidationBatch.java:114)
    at com.bht.catia.batch.STEPValidation.StepValidationProxy.initiateSTEPValidationBackgroundJob(StepValidationProxy.java:79)
    ... 12 more
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess.invokeInBackground(BHTBackgroundProcess.java:315)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.matrixone.apps.domain.util.BHTBackgroundProcess$CustomBackgroundProcessThread.run(BHTBackgroundProcess.java:65)
    at com.matrixone.threadpool.DefaultThreadPool.run(DefaultThreadPool.java:185)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.Exception: Error Message: STEP validation fails for one or more STEP files checked-in to the derived format
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.checkAndReleaseDerivedFormat(StepValidationBatch.java:439)
    at com.bht.catia.batch.STEPValidation.StepValidationBatch.processSTEPFilesValidation(StepValidationBatch.java:114)
    at com.bht.catia.batch.STEPValidation.StepValidationProxy.initiateSTEPValidationBackgroundJob(StepValidationProxy.java:79)
    ... 12 more

I placed dashes where I need breaks.
alt text

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2019 07:03 PM

Like this:

SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)(?!\s|Caused by:)
Reply

ragedsparrow
Contributor
‎07-12-2019 11:00 AM

Here is what I came up with based on your description:

 [<sourcetype>]
 DATETIME_CONFIG=CURRENT
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)[^\s|C]
 NO_BINARY_CHECK=true

If there is no other "non-indented" line that begins with "C", the above will work. It's hard to do an exclude in RegEx for a complete string.

Using your test data, I was able to get it to line break:

alt text

Preview file
1 KB
0 Karma
Reply

oscar84x
Contributor
‎07-10-2019 12:28 PM

Try this as your line breaker regex:

()\s^[^\s|Caused by]
0 Karma
Reply

oscar84x
Contributor
‎07-11-2019 05:48 AM

@bah5663_98. Please let me know if you've tried the regex above as your line breaker. I think it should work.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2019 11:12 AM

show a stream of logs and indicate where they should (and should not) be broken.

0 Karma
Reply

bah5663_98
Explorer
‎07-10-2019 11:48 AM

I updated the question. The dashes are where breaks should occur. Thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2019 12:02 PM

We really need the text so that we can work with RegEx tools on your events. Pictures do not allow us to do that.

0 Karma
Reply

bah5663_98
Explorer
‎07-10-2019 12:17 PM

Sorry again. I added the text but the indented format is off. It usually looks as it does in the picture.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2019 10:33 PM

The text isn't the same either, it does not contain "Business object". We cannot help you if you don't give us sample events that match your desired outcome mockup.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...