Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line Break in multiline event doesn't work

avoelk
Communicator
‎12-08-2020 05:30 AM

Hello fellow splunkers!

 

atm I'm trying to break up a huge multiline event that is merged together with &&&. When I try to explicitly tell Splunk to BREAK_ONLY_AFTER = &&& it doesn't work. I also tried BREAK_ONLY_BEFORE = \d+.\d+.\d+.\d+\s-\s- and BREAK_ONLY_AFTER = \d{3}&&&

it seems that nothing I try works. please help

here is the source log: 

 

 

141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-20&product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

avoelk
Communicator
‎12-08-2020 05:53 AM

I think I found a solution already as provided here:

Unable-to-break-Multi-line-event-into-single-event 

When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this: 

LINE_BREAKER = (\d{3}&&&)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

avoelk
Communicator
‎12-08-2020 05:53 AM

I think I found a solution already as provided here:

Unable-to-break-Multi-line-event-into-single-event 

When using LINE_BREAKER = it is apparently mandatory to encase your regex with () otherwise it doesn't work. I didn't know that. What I used, and what worked was one of the Regex I posted above but like this: 

LINE_BREAKER = (\d{3}&&&)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-08-2020 05:53 AM

It doesn't work because there is no setting called BREAK_ONLY_AFTER.  There is BREAK_ONLY_BEFORE and MUST_BREAK_AFTER, however.  It's more efficient, however, to use LINE_BREAKER.  Try these props.conf settings.

[mysourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (&&&)
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y %H:%M:%S:%3N
MAX_TIMESTAMP_LOOKAHEAD = 23
TRUNCATE = 10000
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

avoelk
Communicator
‎12-08-2020 05:57 AM

hi @richgalloway ,

thanks for your answer, that's exactly what I just figured out 🙂 thanks for your fast reply tho! if I wouldn't have tried this a minute ago this would've been my life saver.

and you're right - I missread props.conf.spec . What could be used is BREAK_ONLY_BEFORE or MUST_BREAK_AFTER

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...