Re: In log file line break not working.

nitesh218ss · ‎04-27-2015

i working in sample log file in which some event break line is different i use BREAK_LINE = ([\r\n]+)/d+/./d/./d+* but not work my log file is:

21/11/2014|16:07:01.383| 6|000000000006|RetrieveCardDetails |Internal Gateway: Received the following: System ID: [ParentMail], PublicSecurityToken ID: [mIgxoHhht1SAa+QMqx0FQoYsYGZ9WiyQ/V5g2AqtLAwqf9bEq0+7y7XzYQv3Ff7h], Security Code: [****uise]
21/11/2014|16:07:01.399| 2|000000000006|.ctor |New instance of Web Service 'AccountManagementBusiness' class created
21/11/2014|16:07:01.664| 6|000000000006|RetrieveCardDetails |Internal Gateway: Responding with Card Details [

<SystemID>ParentMail</SystemID>


<CardNumber></CardNumber>
<ExpiryDate></ExpiryDate>
<IssueNumber>0</IssueNumber>
<CaptureMethod>CA</CaptureMethod>

]
21/11/2014|16:12:05.174| 6|000000000007|ProcessRequest |Request Message Updated by TS3 (Internal GW): [ ParentMail 40232481 20141121 161205 200 SALE 0 GBP CARD REALTIME 1824 Transaction Item 1817 200 0 200 0 ECOMMERCE VIRTUAL 28 30 D0C100 AAABCGCViQAAACaZIJWJAAAAAAA= 20141121161200003123 05 cexhvm3w3vi3r332aryok1y5]
21/11/2014|16:12:05.190| 2|000000000007|.ctor |New instance of Web Service 'AccountManagementBusiness' class created

If you see in log file line is start with date. like 21/11/2014

My props.conf file configration is:

[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)/d+/./d/./d+*
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Please tell me what i do for line break correctly in every event.

richgalloway · ‎04-27-2015

Forward slashes must be escaped in regex strings, plus you have a stray dot. Try this string, which works in regex101.com:

([\r\n]+)\d+\/\d+\/\d+

---
If this reply helps you, Karma would be appreciated.

nitesh218ss · ‎04-27-2015

i try this but not work
Many way i try to change props.conf but not work

[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)\d+\/\d+\/\d+
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

or

[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
BREAK_ONLY_BEFORE = ^(\d\d\/\d\d\/\d\d\d\d)
BREAK_ONLY_BEFORE_DATE = True
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

or

[line_try]
BREAK_ONLY_BEFORE = ^(\d\d\/\d\d\/\d\d\d\d)
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
LINE_BREAKER = ([\r\n]+)\d+\/\d+\/\d+
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true

After change i restart every time but they not work

In log file line break not working.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation