Getting Data In

Line break events not working as per regex.

joydeep741
Path Finder

Splunk is Auto-truncating or Line breaking events after a fixed set of lines (and not as per BREAK_ONLY_BEFORE).

I have used these properties.

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE= ([\r\n]+)[\w+]\s[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TRUNCATE=0

Do you suggest any other property to be added ? What should I do to add more lines to one event ?

I want the new event to start ONLY when the regex given in BREAK_ONLY_BEFORE appears.

0 Karma

joydeep741
Path Finder

I have given the actual regex only. Only for explanation purpose I wrote the word 'regex'.

[punchout]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=[\w+]\s[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TRUNCATE = 0

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Can you give an example of the data..

0 Karma

joydeep741
Path Finder

[INFO] [01/10/2017 04:58:52:411] [0] [null] UserCreateAndEditTask started processing for cXML:
15106482199999915106482141304C6C6E636176306C4330476A307761676C716A3079656E4571305430794330504330476941Staples User AgentyAdEglBADjzfh0HEylEfnqAym0Ib-
[INFO] [01/10/2017 04:58:52:414] [0] [null] toDuns value is 999999
[INFO] [01/10/2017 04:58:52:414] [0] [null] fromDuns value is 151064821
[INFO] [01/10/2017 04:58:52:414] [0] [null] Inside if condition, toDuns,fromDuns and sharedSecret keys matched
[INFO] [01/10/2017 04:58:52:688] [0] [null] Session Details - ServerName:lolrtnasp02.staples.com,UserName:Sv_User_Admin,ProjectName:Reporting Center,ServerPort:34952
[INFO] [01/10/2017 04:58:52:689] [0] [null] Searching for the user:0001018242001NAT7603083007
[INFO] [01/10/2017 04:58:53:192] [0] [null] Calling method getAccountDetails for Short Account id
[INFO] [01/10/2017 04:58:53:192] [0] [null] Inside getAccountDetails Method
[INFO] [01/10/2017 04:58:53:456] [0] [null] Setting Report filter for accountName:1018242NAT
[INFO] [01/10/2017 04:58:53:710] [0] [null] No. of lines in report output:4
[INFO] [01/10/2017 04:58:53:710] [0] [null] getAccountDetails method returned:Mid-Market,1018242NAT
[INFO] [01/10/2017 04:58:53:710] [0] [null] User exists in mstr
[INFO] [01/10/2017 04:58:53:713] [0] [null] Setting user information
[INFO] [01/10/2017 04:58:53:961] [0] [null] Setting user information completed.
[INFO] [01/10/2017 04:58:53:962] [0] [null] Inside isSFValid method for masterAccountNumber:1018242NAT
[INFO] [01/10/2017 04:58:54:055] [0] [null] isSFValid method completed with value:true
[INFO] [01/10/2017 04:58:54:952] [0] [null] User saved.
[INFO] [01/10/2017 04:58:56:599] [0] [null] Inside validate SSL method.
[INFO] [01/10/2017 04:58:56:599] [0] [null] validate SSL method finished successfully with output https://origin-report1.sltest.com:443/MicroStrategy/servlet/mstrWeb
[INFO] [01/10/2017 04:58:56:600] [0] [null] UserCreateAndEditTask finished processing with output:

[INFO] [01/10/2017 05:03:57:944] [17] [null] UserCreateAndEditTask processRequest method started
[INFO] [01/10/2017 05:03:57:944] [17] [null] Calling checkForRequiredParameters method for request keys:cXML:

taskId:
UserCreateAndEditTask

taskEnv:
xhr

taskContentType:
xml

=========================================================
[INFO] [01/10/2017 05:03:57:944] [17] [null] checkForRequiredParameters method finished successfully
[INFO] [01/10/2017 05:03:57:944] [17] [null] UserCreateAndEditTask started processing for cXML:
15106482199999915106482141304C6C6E636176306C4330476A307761676C716A3079656E4571305430794330504330476941Staples User AgentyAdEglBFDmthp0HEylEfnqAym0Ib-10001018242001NAT_APPSFO11018242NATAPPSFO1OCS INC.ADMINAT1ADMINAT1AMNLBPRO6B9325A8448DE7D973310C8B073FD84F;623F009C496B02C2F8
[INFO] [01/10/2017 05:03:58:227] [17] [null] Session Details - ServerName:lolrtnasp02.staples.com,UserName:Sv_User_Admin,ProjectName:Reporting Center,ServerPort:34952
[INFO] [01/10/2017 05:03:58:228] [17] [null] Searching for the user:0001018242001NAT7603083007
[INFO] [01/10/2017 05:03:59:747] [17] [null] Calling method getAccountDetails for Short Account id
[INFO] [01/10/2017 05:03:59:747] [17] [null] Inside getAccountDetails Method
[INFO] [01/10/2017 05:04:00:012] [17] [null] Setting Report filter for accountName:1018242NAT
[INFO] [01/10/2017 05:04:00:266] [17] [null] No. of lines in report output:4
[INFO] [01/10/2017 05:04:00:266] [17] [null] getAccountDetails method returned:Mid-Market,1018242NAT
[INFO] [01/10/2017 05:04:00:267] [17] [null] User exists in mstr
[INFO] [01/10/2017 05:04:00:293] [17] [null] Setting user information
[INFO] [01/10/2017 05:04:00:352] [17] [null] Setting user information completed.
[INFO] [01/10/2017 05:04:00:352] [17] [null] Inside isSFValid method for masterAccountNumber:1018242NAT
[INFO] [01/10/2017 05:04:00:409] [17] [null] isSFValid method completed with value:true
[INFO] [01/10/2017 05:04:00:557] [17] [null] User saved.
[INFO] [01/10/2017 05:04:01:925] [17] [null] Inside validate SSL method.
[INFO] [01/10/2017 05:04:01:925] [17] [null] validate SSL method finished successfully with output https://origin-report1.sltest.com:443/MicroStrategy/servlet/mstrWeb
[INFO] [01/10/2017 05:04:01:926] [17] [null] UserCreateAndEditTask finished processing with output:

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

The BREAK_ONLY_BEFORE= regex statement here is wrong. What goes here is the regex expression, not the literal "regex". So this should look like:

BREAK_ONLY_BEFORE= ^New Line 

That says break only before a new line with the text from the left of "New Line"

0 Karma

joydeep741
Path Finder

Regex is perfectly fine and works well when I locally test it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...