- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: In log file line break not working.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In log file line break not working.
i working in sample log file in which some event break line is different i use BREAK_LINE = ([\r\n]+)/d+/./d/./d+* but not work my log file is:
21/11/2014|16:07:01.383| 6|000000000006|RetrieveCardDetails |Internal Gateway: Received the following: System ID: [ParentMail], PublicSecurityToken ID: [mIgxoHhht1SAa+QMqx0FQoYsYGZ9WiyQ/V5g2AqtLAwqf9bEq0+7y7XzYQv3Ff7h], Security Code: [****uise]
21/11/2014|16:07:01.399| 2|000000000006|.ctor |New instance of Web Service 'AccountManagementBusiness' class created
21/11/2014|16:07:01.664| 6|000000000006|RetrieveCardDetails |Internal Gateway: Responding with Card Details [
<SystemID>ParentMail</SystemID>
<CardNumber></CardNumber>
<ExpiryDate></ExpiryDate>
<IssueNumber>0</IssueNumber>
<CaptureMethod>CA</CaptureMethod>
]
21/11/2014|16:12:05.174| 6|000000000007|ProcessRequest |Request Message Updated by TS3 (Internal GW): [ ParentMail 40232481 20141121 161205 200 SALE 0 GBP CARD REALTIME 1824 Transaction Item 1817 200 0 200 0 ECOMMERCE VIRTUAL 28 30 D0C100 AAABCGCViQAAACaZIJWJAAAAAAA= 20141121161200003123 05 cexhvm3w3vi3r332aryok1y5]
21/11/2014|16:12:05.190| 2|000000000007|.ctor |New instance of Web Service 'AccountManagementBusiness' class created
If you see in log file line is start with date. like 21/11/2014
My props.conf file configration is:
[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)/d+/./d/./d+*
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
Please tell me what i do for line break correctly in every event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forward slashes must be escaped in regex strings, plus you have a stray dot. Try this string, which works in regex101.com:
([\r\n]+)\d+\/\d+\/\d+
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i try this but not work
Many way i try to change props.conf but not work
[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)\d+\/\d+\/\d+
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
or
[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
BREAK_ONLY_BEFORE = ^(\d\d\/\d\d\/\d\d\d\d)
BREAK_ONLY_BEFORE_DATE = True
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
or
[line_try]
BREAK_ONLY_BEFORE = ^(\d\d\/\d\d\/\d\d\d\d)
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
LINE_BREAKER = ([\r\n]+)\d+\/\d+\/\d+
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true
After change i restart every time but they not work
Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...
Unify Your SecOps with Splunk Mission Control
Data Preparation Made Easy: SPL2 for Edge Processor
