Getting Data In

Line break events not working as per regex.

Path Finder

Splunk is Auto-truncating or Line breaking events after a fixed set of lines (and not as per BREAK_ONLY_BEFORE).

I have used these properties.

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE= ([\r\n]+)[\w+]\s[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TRUNCATE=0

Do you suggest any other property to be added ? What should I do to add more lines to one event ?

I want the new event to start ONLY when the regex given in BREAK_ONLY_BEFORE appears.

0 Karma

Path Finder

I have given the actual regex only. Only for explanation purpose I wrote the word 'regex'.

[punchout]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=[\w+]\s[\d{1,2}\/\d{1,2}\/\d{1,4}\s\d{1,2}:\d{1,2}:\d{1,2}:\d{1,3}].+UserCreateAndEditTask\sprocessRequest\smethod\sstarted
TRUNCATE = 0

0 Karma

Splunk Employee
Splunk Employee

Can you give an example of the data..

0 Karma

Path Finder

[INFO] [01/10/2017 04:58:52:411] [0] [null] UserCreateAndEditTask started processing for cXML:
15106482199999915106482141304C6C6E636176306C4330476A307761676C716A3079656E4571305430794330504330476941Staples User AgentyAdEglBADjzfh0HEylEfnqAym0Ib-
[INFO] [01/10/2017 04:58:52:414] [0] [null] toDuns value is 999999
[INFO] [01/10/2017 04:58:52:414] [0] [null] fromDuns value is 151064821
[INFO] [01/10/2017 04:58:52:414] [0] [null] Inside if condition, toDuns,fromDuns and sharedSecret keys matched
[INFO] [01/10/2017 04:58:52:688] [0] [null] Session Details - ServerName:lolrtnasp02.staples.com,UserName:Sv_User_Admin,ProjectName:Reporting Center,ServerPort:34952
[INFO] [01/10/2017 04:58:52:689] [0] [null] Searching for the user:0001018242001NAT7603083007
[INFO] [01/10/2017 04:58:53:192] [0] [null] Calling method getAccountDetails for Short Account id
[INFO] [01/10/2017 04:58:53:192] [0] [null] Inside getAccountDetails Method
[INFO] [01/10/2017 04:58:53:456] [0] [null] Setting Report filter for accountName:1018242NAT
[INFO] [01/10/2017 04:58:53:710] [0] [null] No. of lines in report output:4
[INFO] [01/10/2017 04:58:53:710] [0] [null] getAccountDetails method returned:Mid-Market,1018242NAT
[INFO] [01/10/2017 04:58:53:710] [0] [null] User exists in mstr
[INFO] [01/10/2017 04:58:53:713] [0] [null] Setting user information
[INFO] [01/10/2017 04:58:53:961] [0] [null] Setting user information completed.
[INFO] [01/10/2017 04:58:53:962] [0] [null] Inside isSFValid method for masterAccountNumber:1018242NAT
[INFO] [01/10/2017 04:58:54:055] [0] [null] isSFValid method completed with value:true
[INFO] [01/10/2017 04:58:54:952] [0] [null] User saved.
[INFO] [01/10/2017 04:58:56:599] [0] [null] Inside validate SSL method.
[INFO] [01/10/2017 04:58:56:599] [0] [null] validate SSL method finished successfully with output https://origin-report1.sltest.com:443/MicroStrategy/servlet/mstrWeb
[INFO] [01/10/2017 04:58:56:600] [0] [null] UserCreateAndEditTask finished processing with output:

[INFO] [01/10/2017 05:03:57:944] [17] [null] UserCreateAndEditTask processRequest method started
[INFO] [01/10/2017 05:03:57:944] [17] [null] Calling checkForRequiredParameters method for request keys:cXML:

taskId:
UserCreateAndEditTask

taskEnv:
xhr

taskContentType:
xml

=========================================================
[INFO] [01/10/2017 05:03:57:944] [17] [null] checkForRequiredParameters method finished successfully
[INFO] [01/10/2017 05:03:57:944] [17] [null] UserCreateAndEditTask started processing for cXML:
15106482199999915106482141304C6C6E636176306C4330476A307761676C716A3079656E4571305430794330504330476941Staples User AgentyAdEglBFDmthp0HEylEfnqAym0Ib-10001018242001NAT_APPSFO11018242NATAPPSFO1OCS INC.ADMINAT1ADMINAT1AMNLBPRO6B9325A8448DE7D973310C8B073FD84F;623F009C496B02C2F8
[INFO] [01/10/2017 05:03:58:227] [17] [null] Session Details - ServerName:lolrtnasp02.staples.com,UserName:Sv_User_Admin,ProjectName:Reporting Center,ServerPort:34952
[INFO] [01/10/2017 05:03:58:228] [17] [null] Searching for the user:0001018242001NAT7603083007
[INFO] [01/10/2017 05:03:59:747] [17] [null] Calling method getAccountDetails for Short Account id
[INFO] [01/10/2017 05:03:59:747] [17] [null] Inside getAccountDetails Method
[INFO] [01/10/2017 05:04:00:012] [17] [null] Setting Report filter for accountName:1018242NAT
[INFO] [01/10/2017 05:04:00:266] [17] [null] No. of lines in report output:4
[INFO] [01/10/2017 05:04:00:266] [17] [null] getAccountDetails method returned:Mid-Market,1018242NAT
[INFO] [01/10/2017 05:04:00:267] [17] [null] User exists in mstr
[INFO] [01/10/2017 05:04:00:293] [17] [null] Setting user information
[INFO] [01/10/2017 05:04:00:352] [17] [null] Setting user information completed.
[INFO] [01/10/2017 05:04:00:352] [17] [null] Inside isSFValid method for masterAccountNumber:1018242NAT
[INFO] [01/10/2017 05:04:00:409] [17] [null] isSFValid method completed with value:true
[INFO] [01/10/2017 05:04:00:557] [17] [null] User saved.
[INFO] [01/10/2017 05:04:01:925] [17] [null] Inside validate SSL method.
[INFO] [01/10/2017 05:04:01:925] [17] [null] validate SSL method finished successfully with output https://origin-report1.sltest.com:443/MicroStrategy/servlet/mstrWeb
[INFO] [01/10/2017 05:04:01:926] [17] [null] UserCreateAndEditTask finished processing with output:

0 Karma

Splunk Employee
Splunk Employee

The BREAK_ONLY_BEFORE= regex statement here is wrong. What goes here is the regex expression, not the literal "regex". So this should look like:

BREAK_ONLY_BEFORE= ^New Line 

That says break only before a new line with the text from the left of "New Line"

0 Karma

Path Finder

Regex is perfectly fine and works well when I locally test it.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!