Getting Data In

In log file line break not working.

nitesh218ss
Communicator

i working in sample log file in which some event break line is different i use BREAK_LINE = ([\r\n]+)/d+/./d/./d+* but not work my log file is:

21/11/2014|16:07:01.383| 6|000000000006|RetrieveCardDetails |Internal Gateway: Received the following: System ID: [ParentMail], PublicSecurityToken ID: [mIgxoHhht1SAa+QMqx0FQoYsYGZ9WiyQ/V5g2AqtLAwqf9bEq0+7y7XzYQv3Ff7h], Security Code: [****uise]
21/11/2014|16:07:01.399| 2|000000000006|.ctor |New instance of Web Service 'AccountManagementBusiness' class created
21/11/2014|16:07:01.664| 6|000000000006|RetrieveCardDetails |Internal Gateway: Responding with Card Details [

<SystemID>ParentMail</SystemID>


<CardNumber></CardNumber>
<ExpiryDate></ExpiryDate>
<IssueNumber>0</IssueNumber>
<CaptureMethod>CA</CaptureMethod>

]
21/11/2014|16:12:05.174| 6|000000000007|ProcessRequest |Request Message Updated by TS3 (Internal GW): [ ParentMail 40232481 20141121 161205 200 SALE 0 GBP CARD REALTIME 1824 Transaction Item 1817 200 0 200 0 ECOMMERCE VIRTUAL 28 30 D0C100 AAABCGCViQAAACaZIJWJAAAAAAA= 20141121161200003123 05 cexhvm3w3vi3r332aryok1y5]
21/11/2014|16:12:05.190| 2|000000000007|.ctor |New instance of Web Service 'AccountManagementBusiness' class created

If you see in log file line is start with date. like 21/11/2014

My props.conf file configration is:

[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)/d+/./d/./d+*
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Please tell me what i do for line break correctly in every event.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Forward slashes must be escaped in regex strings, plus you have a stray dot. Try this string, which works in regex101.com:

([\r\n]+)\d+\/\d+\/\d+
---
If this reply helps you, Karma would be appreciated.
0 Karma

nitesh218ss
Communicator

i try this but not work
Many way i try to change props.conf but not work

[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)\d+\/\d+\/\d+
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

or

[line_try]
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
INDEXED_EXTRACTIONS = csv
KV_MODE = none
BREAK_ONLY_BEFORE = ^(\d\d\/\d\d\/\d\d\d\d)
BREAK_ONLY_BEFORE_DATE = True
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

or

[line_try]
BREAK_ONLY_BEFORE = ^(\d\d\/\d\d\/\d\d\d\d)
FIELD_DELIMITER = |
FIELD_NAMES = datee,timee,no1,no2,msg1,msg2
LINE_BREAKER = ([\r\n]+)\d+\/\d+\/\d+
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true

After change i restart every time but they not work

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...