Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove an invalid line breaker from syslog before indexing?

vlours
Explorer
‎09-28-2016 08:42 PM

Hi everyone,

I've got an application sending data to splunk, which are split over multiple lines instead to keep everything on the same line.

When I redirect my data to a file instead of splunk, I can find that the ascii code #012 is sent as part of the string.

Example:

... #012Change details       : #012filewrite#012 ...

Which are split in multiples lines in splunk:

...
9/29/16 3:25:30.000 AM  filewrite
host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog
9/29/16 3:25:30.000 AM  Change details       :
host = xxx.xxx.xxx.xxx source = udp:3514 sourcetype = syslog
...

Is there any way to replace the ASCII code #012 before to index it into splunk ?

I've try to add this config in my props.conf, but it did not solved it.

[syslog]
LINE_BREAKER=#012
SHOULD_LINEMERGE=true

And also this one: 

[syslog]
SEDCMD-fim = s/\#012/ /g

Thanks for your support.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vlours
Explorer
‎09-29-2016 12:03 AM

As explain by @somesoni2, the #012 is is ascii code for \n

So to solve it, I've include the following in my props.conf:
[syslog]
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=true

My data are now merged correctly in one line.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vlours
Explorer
‎09-29-2016 12:03 AM

As explain by @somesoni2, the #012 is is ascii code for \n

So to solve it, I've include the following in my props.conf:
[syslog]
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=true

My data are now merged correctly in one line.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-28-2016 10:10 PM

The #012 is ascii code for \n, so that is why events are getting split (default LINE_BREAKER is ([\r\n]+)). You second configuration with SEDCMD will not work as SEDCMD executes after events are broken.

How does your data looks like when you redirect it to a file (sample entries, mask any sensitive data)? You probably have to setup correct LINE_BREAKER (assuming you're data is directly coming to indexer/heavy forwarder) to split it correctly.

Reply
Solved! Jump to solution

vlours
Explorer
‎09-28-2016 10:46 PM

Hi somesoni2,

Actually, I did not test it with the default LINE_BREAKER, as I was fighting with my #012 value.
Setting the default value LINE_BREAKER and the SHOULD_LINEMERGE is working fine.

So, I've put the following in my props.conf:
[syslog]
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=true

Thanks a lot.
Have a great day.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...