Getting Data In

How to set a correct line breaks in my props.conf

Communicator

The first picture is my original logs
alt text

The second picture is my logs in the splunk
alt text

Now,we can see the splunk wrap my logs in the wrong places.
Please tell me how to set in the props.conf can solve this problem.
Thanks very much!

0 Karma

Builder

Hi,

Try this,

LINE_BREAKER = ([\r\n]+)\[[^\]]+\]\[\d{4}\-\d{2}\-\d{2}\s++\d{2}\:\d{2}\:\d{2}\,\d{3}\]\[tid\:

THat should break the events better for you

0 Karma

Splunk Employee
Splunk Employee

Hi perlish

There seems to be two problems. First the output of your logs has unwanted carriage returns in it. The second splunk is not recognising this as a multiline event. The latter can be fixed with the following stanza in props.conf. The time prefix looks complex but it is saying look for a line that starts with [ and the time should come after the second [

[business]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = ^\[[^\[]+\[
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%q3
MAX_TIMESTAMP_LOOKAHEAD = 24

The line breaks will still be there and may cause fields to break in half. I suggest you look at how these logs are generated for the cause.

0 Karma

Splunk Employee
Splunk Employee

Ignore the 5. before time format. I don't know where that came from.

0 Karma

Communicator

I tried this method but it seems did not work.
How can I set up the line breaker like a '\n'.

0 Karma

SplunkTrust
SplunkTrust

It's a line number added by the system in all code samples.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

What are the current props.conf settings for this log? Have you tried BREAK_ONLY_BEFORE=[ems.ton]?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Communicator

Yes,I have tried but did not work.

0 Karma