Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Line Break in multiline event doesn't work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello fellow splunkers!
atm I'm trying to break up a huge multiline event that is merged together with &&&. When I try to explicitly tell Splunk to BREAK_ONLY_AFTER = &&& it doesn't work. I also tried BREAK_ONLY_BEFORE = \d+.\d+.\d+.\d+\s-\s- and BREAK_ONLY_AFTER = \d{3}&&&
it seems that nothing I try works. please help
here is the source log:
141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-20&product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found a solution already as provided here:
Unable-to-break-Multi-line-event-into-single-event
When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this:
LINE_BREAKER = (\d{3}&&&)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found a solution already as provided here:
Unable-to-break-Multi-line-event-into-single-event
When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this:
LINE_BREAKER = (\d{3}&&&)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't work because there is no setting called BREAK_ONLY_AFTER. There is BREAK_ONLY_BEFORE and MUST_BREAK_AFTER, however. It's more efficient, however, to use LINE_BREAKER. Try these props.conf settings.
[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (&&&)
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y %H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 23
TRUNCATE = 10000If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @richgalloway ,
thanks for your answer, that's exactly what I just figured out 🙂 thanks for your fast reply tho! if I wouldn't have tried this a minute ago this would've been my life saver.
and you're right - I missread props.conf.spec . What could be used is BREAK_ONLY_BEFORE or MUST_BREAK_AFTER
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
