How to set a correct line breaks in my props.conf

perlish · ‎02-06-2015

The first picture is my original logs

The second picture is my logs in the splunk

Now,we can see the splunk wrap my logs in the wrong places.
Please tell me how to set in the props.conf can solve this problem.
Thanks very much!

lmyrefelt · ‎02-11-2015

Hi,

Try this,

LINE_BREAKER = ([\r\n]+)\[[^\]]+\]\[\d{4}\-\d{2}\-\d{2}\s++\d{2}\:\d{2}\:\d{2}\,\d{3}\]\[tid\:

THat should break the events better for you

bmunson_splunk · ‎02-06-2015

Hi perlish

There seems to be two problems. First the output of your logs has unwanted carriage returns in it. The second splunk is not recognising this as a multiline event. The latter can be fixed with the following stanza in props.conf. The time prefix looks complex but it is saying look for a line that starts with [ and the time should come after the second [

[business]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = ^\[[^\[]+\[
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%q3
MAX_TIMESTAMP_LOOKAHEAD = 24

The line breaks will still be there and may cause fields to break in half. I suggest you look at how these logs are generated for the cause.

bmunson_splunk · ‎02-06-2015

Ignore the 5. before time format. I don't know where that came from.

perlish · ‎02-08-2015

I tried this method but it seems did not work.
How can I set up the line breaker like a '\n'.

richgalloway · ‎02-06-2015

It's a line number added by the system in all code samples.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎02-06-2015

What are the current props.conf settings for this log? Have you tried BREAK_ONLY_BEFORE=[ems.ton]?

---
If this reply helps you, Karma would be appreciated.

perlish · ‎02-08-2015

Yes,I have tried but did not work.

How to set a correct line breaks in my props.conf

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases