Re: Line Breaking

vijreddy30 · ‎07-15-2024

The above screen shot Blue color line event into one Event and above Blue color lines in to single event

please provide line break event queries.

vijreddy30 · ‎07-19-2024

Hi Team,

04/06/2024;10:08:36;Control;Machine ON
04/06/2024;10:05:39;Others;Start sample (D) ST 2 795 x1000
04/06/2024;10:05:36;Others;Sampling end ST 1
04/06/2024;10:00:25;Others;Start sample (D) ST 1 781 x1000
04/06/2024;09:55:33;Operator;Operator level: 0 -> 6 UP23477

After that break the event, I written regex like
^\d{2}\/\d{2}\/\d{4};\d{2}:\d{2}:\d{2};Operator;Operator\slevel:\s0\s->\s+6\s+\w+

but not break the event , please help me the regex query

PickleRick · ‎07-19-2024

LINE_BREAKER must contain a capture group. Everything before capture group is considered "previous event", capture group is treated as event breaker _and is removed from your data_ and everything after the capture group is part of the "next event".

Also - you still didn't say what constitutes a new event in your example.

PickleRick · ‎07-15-2024

And how would you tell one event from another? Specify what makes a line be a start of a new event.

inventsekar · ‎07-15-2024

Hi @vijreddy30

the props.conf is needed to understand the line breaking.

then only the it can be troubleshooted, thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

vijreddy30 · ‎07-16-2024

Thanks for Update

04/06/2024;09:55:33;Operator;Operator level: 0 -> 6 EP78543 line break Before and after regex query

PickleRick · ‎07-16-2024

Again - what in this event should tell Splunk that it's a new event?

Line Breaking

props.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?