Getting Data In

I need Help with properly breaking up events

Jarohnimo
Builder

Hello,

I'm having an issue where clam av logs aren't breaking the events correctly. I'm confident the line_breaking regex is fine. Time: \d+\.\d+ sec \(\d+ m \d+ s\)()

The issue i'm having is sometimes the events show up in splunk where:
"------------------------------------------" <-- This hashed line is an event. it shouldn't be it's own event. It should be included at the start of every event not it's own event. So the end of the event seems to be satisfied with the line_breaker on the time field but how do i force splunk to understand the hashed line is the start of every event.. as of now it works sometimes where the hashed line is included in the event, and sometimes it does not (hashed line is it's own event)

Anyway to enforce this, perhaps with some sort of index time field parsing stanza i'm missing? you can see from the blob i'm pasting below examples of the logs (3 separate events)

-------------------------------------------------------------------------------

  WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200021_ow7PXV: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200026_aPhSxB: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1727.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1770.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1785.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1742.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200003_aWcbM9: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200007_cPewso: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200001_02GigF: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200037_PR0YIo: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
  WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
  WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200028_4tocVD: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
  WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied

  ----------- SCAN SUMMARY -----------
  Known viruses: 5995098
  Engine version: 0.99.2
  Scanned directories: 6366
  Scanned files: 41938
  Infected files: 0
  Total errors: 83
  Data scanned: 3329.70 MB
  Data read: 4610.58 MB (ratio 0.72:1)
  Time: 4296.029 sec (71 m 36 s)

  -------------------------------------------------------------------------------

  WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200001_n3Udh3: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200071_HSWmZ6: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200003_3gLmvy: Permission denied
  WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200016_ZuL9m4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200048_CG4mxR: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied
  WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
  WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
  WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200051_5IDsNl: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200049_70bzRj: Permission denied
  WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
  WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
  WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
  WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied

  ----------- SCAN SUMMARY -----------
  Known viruses: 6319346
  Engine version: 0.99.2
  Scanned directories: 7233
  Scanned files: 45947
  Infected files: 0
  Total errors: 100
  Data scanned: 3594.28 MB
  Data read: 4821.47 MB (ratio 0.75:1)
  Time: 485.906 sec (8 m 5 s)

  -------------------------------------------------------------------------------

  WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200048_SKap8h: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200071_e3US5K: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200021_IfCsp4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1587.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1566.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1578.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1611.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1583.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1596.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1582.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1620.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1577.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied
  WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1591.log: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
  WARNING: Can't open file /tmp/tmp.0qPyyvkhIw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied
  WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200065_NZfYE4: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied
  WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200003_Ysuwzs: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200001_VezxBM: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
  WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
  WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200049_zrBoRF: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200051_5uiGLr: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200047_iM0nZM: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
  WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200016_7hh0tc: Permission denied
  WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200062_Y3tkcC: Permission denied
  WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied
  WARNING: Can't open file /tmp/tmp.KgPSpEWZwR: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
  WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
  WARNING: Can't open file /tmp/krb5cc_1846200067_xWpi42: Permission denied

  ----------- SCAN SUMMARY -----------
  Known viruses: 6319470
  Engine version: 0.99.4
  Scanned directories: 8003
  Scanned files: 47590
  Infected files: 0
  Total errors: 105
  Data scanned: 4118.82 MB
  Data read: 5005.36 MB (ratio 0.82:1)
  Time: 556.020 sec (9 m 16 s)
0 Karma

to4kawa
Ultra Champion

props.conf

[clamav]
SHOULD_LINEMERGE = false
LINE_BREAKER = (?m)(-{79}\s+)^
TRUNCATE = 0
DATETIME_CONFIG = CURRENT
0 Karma

atownson
Explorer

My suggestion is below. This should break your events based on the dashes (assuming there are no spaces before the dashes and there are always 79 dashes). I don't see a valid timestamp in the events so timestamp recognition is effectively disabled.

props.conf

[yourSourceType]
LINE_BREAKER = ([\r\n]+)-{79}
BREAK_ONLY_BEFORE_DATE = false
TRUNCATE = 0
DATETIME_CONFIG = NONE
MAX_TIMESTAMP_LOOKAHEAD = 0

Maybe that'll help.

0 Karma

Jarohnimo
Builder

I need something that tells the event break that the start of each event is the hashed line as that's what's not working currently. The line breaking on the tail end seems to work fine. it just the top portion of each event (hashed line) appears.

0 Karma

atownson
Explorer

The LINE_BREAKER value above should work. It should break the events based on a line return and the 79 dashes, but still retain the dashes because they're not in the capture group.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...