Re: Event-breaking policy

slipinski · ‎02-17-2023

Hi Splunkers,

I'm struggling with setting up an appropriate line breaker for data from log file. The example is below. I tried to use Event-breaking policy set to "every line", but it doesn't work fine as the last line consists of 3 events. I would like to break lines based on [abcdef.abcs][info][gc], but I'm not entirely sure whether it's possible.

Could you please take a look?

[883722.688s][info][gc] GC(40135) Pause Init Mark (process weakrefs) 1653.109ms

[883734.774s][info][gc] GC(40135) Concurrent marking (process weakrefs) 12086.056ms

[883736.181s][info][gc] GC(40135) Concurrent precleaning 1406.445ms

[883738.907s][info][gc] GC(40135) Pause Final Mark (process weakrefs) 2724.588ms [883738.908s][info][gc] GC(40135) Concurrent cleanup 72424M->72273M(153600M) 0.229ms [883739.217s][info][gc] GC(40135) Concurrent evacuation 308.624ms [883739.217s][info][gc] GC(40135) Pause Init Update Refs 0.137ms

[883742.192s][info][gc] GC(40135) Concurrent update references 2975.050ms [883742.195s][info][gc] GC(40135) Pause Final Update Refs 1.175ms [883742.196s][info][gc] GC(40135) Concurrent cleanup 80318M->62137M(153600M) 0.204ms [883742.197s][info][gc] Trigger: Allocated since last cycle (15943M) is larger than allocation threshold (15360M) [883742.224s][info][gc] GC(40136) Concurrent reset 26.618ms [883743.575s][info][gc] GC(40136) Pause Init Mark 1349.467ms

slipinski · ‎02-17-2023

I've already given it a go (not in props.conf, but in the sourcetype edit tab in GUI - I'm using cloud premise). It doesn't break lines correctly.

batabay · ‎02-17-2023

Also , you can try this.

LINE_BREAKER = ()[\[\w\.\]]+

batabay · ‎02-17-2023

Can you try in props.conf this config:

LINE_BREAKER = ([\r\n]+)[\[\w\.\]]+

How to set up an appropriate line breaker for data from log file?

field extraction

sourcetype

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies