Solved: LINE_BREAKER not working correctly

pkeller · ‎01-25-2017

The event I want to break on looks like this:

25/Jan/17:10:23:00:069+0000 DEBUG Evaluation of condition [188:FTP Mastering Users] took 0 ms

props.conf looks like this:
LINE_BREAKER = ([\r\n]+)(\d+/\w{3}/\d+:\d{2}:\d{2}:\d{2}:\d{3})
I've also tried this:
LINE_BREAKER = ([\r\n]+)(\d+\/\w{3}\/\d+:\d{2}:\d{2}:\d{2}:\d{3})
TIME_FORMAT = %-m/%b/%y:%H:%M:%S:%3N%z
TRUNCATE = 0

I'm still finding that my indexers are now combining every event matching the REGEX into a single event ( until the max events boundary is reached )

I figure I'm getting hung up on the "forward slash" in the date vs what I have in the REGEX, but have not been able to ingest this particular datasource accurately. So do I need to go a step further with regards to

somesoni2 · ‎01-25-2017

Give this a try

[yourSourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\w+\/\d+:\d+:\d+:\d+)
TIME_FORMAT = %d/%b/%y:%H:%M:%S:%N%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 27

View solution in original post

woodcock · ‎01-25-2017

Try this:

([\r\n]+)(\d+\/\w{3}\/\d+:\d{2}:\d{2}:\d{2}:\d{3})

You can test your RegEx with http://www.regex101.com. This showed that you were not escaping your / characters.

somesoni2 · ‎01-25-2017

Give this a try

[yourSourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\w+\/\d+:\d+:\d+:\d+)
TIME_FORMAT = %d/%b/%y:%H:%M:%S:%N%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 27

LINE_BREAKER not working correctly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation