Getting Data In
Highlighted

LINE_BREAKER not working correctly

Contributor

The event I want to break on looks like this:

25/Jan/17:10:23:00:069+0000 DEBUG Evaluation of condition [188:FTP Mastering Users] took 0 ms

props.conf looks like this:
LINE_BREAKER = ([\r\n]+)(\d+/\w{3}/\d+:\d{2}:\d{2}:\d{2}:\d{3})
I've also tried this:
LINE_BREAKER = ([\r\n]+)(\d+\/\w{3}\/\d+:\d{2}:\d{2}:\d{2}:\d{3})
TIME_FORMAT = %-m/%b/%y:%H:%M:%S:%3N%z
TRUNCATE = 0

I'm still finding that my indexers are now combining every event matching the REGEX into a single event ( until the max events boundary is reached )

I figure I'm getting hung up on the "forward slash" in the date vs what I have in the REGEX, but have not been able to ingest this particular datasource accurately. So do I need to go a step further with regards to

0 Karma
Highlighted

Re: LINE_BREAKER not working correctly

SplunkTrust
SplunkTrust

Give this a try

[yourSourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d+\/\w+\/\d+:\d+:\d+:\d+)
TIME_FORMAT = %d/%b/%y:%H:%M:%S:%N%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 27

View solution in original post

Highlighted

Re: LINE_BREAKER not working correctly

Esteemed Legend

Try this:

([\r\n]+)(\d+\/\w{3}\/\d+:\d{2}:\d{2}:\d{2}:\d{3})

You can test your RegEx with http://www.regex101.com. This showed that you were not escaping your / characters.

0 Karma