Getting Data In

Line break events not working as per regex.

joydeep741
Path Finder

Splunk is Auto-truncating or Line breaking events after a fixed set of lines (and not as per BREAK_ONLY_BEFORE).

I have used these properties.

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE= ([\r\n]+)[\w+]\s[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TRUNCATE=0

Do you suggest any other property to be added ? What should I do to add more lines to one event ?

I want the new event to start ONLY when the regex given in BREAK_ONLY_BEFORE appears.

0 Karma

joydeep741
Path Finder

I have given the actual regex only. Only for explanation purpose I wrote the word 'regex'.

[punchout]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=[\w+]\s[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TRUNCATE = 0

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Can you give an example of the data..

0 Karma

joydeep741
Path Finder

[INFO] [01/10/2017 04:58:52:411] [0] [null] UserCreateAndEditTask started processing for cXML:
15106482199999915106482141304C6C6E636176306C4330476A307761676C716A3079656E4571305430794330504330476941Staples User AgentyAdEglBADjzfh0HEylEfnqAym0Ib-
[INFO] [01/10/2017 04:58:52:414] [0] [null] toDuns value is 999999
[INFO] [01/10/2017 04:58:52:414] [0] [null] fromDuns value is 151064821
[INFO] [01/10/2017 04:58:52:414] [0] [null] Inside if condition, toDuns,fromDuns and sharedSecret keys matched
[INFO] [01/10/2017 04:58:52:688] [0] [null] Session Details - ServerName:lolrtnasp02.staples.com,UserName:Sv_User_Admin,ProjectName:Reporting Center,ServerPort:34952
[INFO] [01/10/2017 04:58:52:689] [0] [null] Searching for the user:0001018242001NAT7603083007
[INFO] [01/10/2017 04:58:53:192] [0] [null] Calling method getAccountDetails for Short Account id
[INFO] [01/10/2017 04:58:53:192] [0] [null] Inside getAccountDetails Method
[INFO] [01/10/2017 04:58:53:456] [0] [null] Setting Report filter for accountName:1018242NAT
[INFO] [01/10/2017 04:58:53:710] [0] [null] No. of lines in report output:4
[INFO] [01/10/2017 04:58:53:710] [0] [null] getAccountDetails method returned:Mid-Market,1018242NAT
[INFO] [01/10/2017 04:58:53:710] [0] [null] User exists in mstr
[INFO] [01/10/2017 04:58:53:713] [0] [null] Setting user information
[INFO] [01/10/2017 04:58:53:961] [0] [null] Setting user information completed.
[INFO] [01/10/2017 04:58:53:962] [0] [null] Inside isSFValid method for masterAccountNumber:1018242NAT
[INFO] [01/10/2017 04:58:54:055] [0] [null] isSFValid method completed with value:true
[INFO] [01/10/2017 04:58:54:952] [0] [null] User saved.
[INFO] [01/10/2017 04:58:56:599] [0] [null] Inside validate SSL method.
[INFO] [01/10/2017 04:58:56:599] [0] [null] validate SSL method finished successfully with output https://origin-report1.sltest.com:443/MicroStrategy/servlet/mstrWeb
[INFO] [01/10/2017 04:58:56:600] [0] [null] UserCreateAndEditTask finished processing with output:

[INFO] [01/10/2017 05:03:57:944] [17] [null] UserCreateAndEditTask processRequest method started
[INFO] [01/10/2017 05:03:57:944] [17] [null] Calling checkForRequiredParameters method for request keys:cXML:

taskId:
UserCreateAndEditTask

taskEnv:
xhr

taskContentType:
xml

=========================================================
[INFO] [01/10/2017 05:03:57:944] [17] [null] checkForRequiredParameters method finished successfully
[INFO] [01/10/2017 05:03:57:944] [17] [null] UserCreateAndEditTask started processing for cXML:
15106482199999915106482141304C6C6E636176306C4330476A307761676C716A3079656E4571305430794330504330476941Staples User AgentyAdEglBFDmthp0HEylEfnqAym0Ib-10001018242001NAT_APPSFO11018242NATAPPSFO1OCS INC.ADMINAT1ADMINAT1AMNLBPRO6B9325A8448DE7D973310C8B073FD84F;623F009C496B02C2F8
[INFO] [01/10/2017 05:03:58:227] [17] [null] Session Details - ServerName:lolrtnasp02.staples.com,UserName:Sv_User_Admin,ProjectName:Reporting Center,ServerPort:34952
[INFO] [01/10/2017 05:03:58:228] [17] [null] Searching for the user:0001018242001NAT7603083007
[INFO] [01/10/2017 05:03:59:747] [17] [null] Calling method getAccountDetails for Short Account id
[INFO] [01/10/2017 05:03:59:747] [17] [null] Inside getAccountDetails Method
[INFO] [01/10/2017 05:04:00:012] [17] [null] Setting Report filter for accountName:1018242NAT
[INFO] [01/10/2017 05:04:00:266] [17] [null] No. of lines in report output:4
[INFO] [01/10/2017 05:04:00:266] [17] [null] getAccountDetails method returned:Mid-Market,1018242NAT
[INFO] [01/10/2017 05:04:00:267] [17] [null] User exists in mstr
[INFO] [01/10/2017 05:04:00:293] [17] [null] Setting user information
[INFO] [01/10/2017 05:04:00:352] [17] [null] Setting user information completed.
[INFO] [01/10/2017 05:04:00:352] [17] [null] Inside isSFValid method for masterAccountNumber:1018242NAT
[INFO] [01/10/2017 05:04:00:409] [17] [null] isSFValid method completed with value:true
[INFO] [01/10/2017 05:04:00:557] [17] [null] User saved.
[INFO] [01/10/2017 05:04:01:925] [17] [null] Inside validate SSL method.
[INFO] [01/10/2017 05:04:01:925] [17] [null] validate SSL method finished successfully with output https://origin-report1.sltest.com:443/MicroStrategy/servlet/mstrWeb
[INFO] [01/10/2017 05:04:01:926] [17] [null] UserCreateAndEditTask finished processing with output:

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

The BREAK_ONLY_BEFORE= regex statement here is wrong. What goes here is the regex expression, not the literal "regex". So this should look like:

BREAK_ONLY_BEFORE= ^New Line 

That says break only before a new line with the text from the left of "New Line"

0 Karma

joydeep741
Path Finder

Regex is perfectly fine and works well when I locally test it.

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on