the log is parsed in bad way.
that's the props.conf:
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data:\s\d{14}
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 25
that's the log:
Data: 29052020113001
Numero file in /data/In/ = 0
Numero file in /data/In/IMS/ = 0
Numero file in /data/archive/ = 7
Processi:
a is running
b is running
platform is running
-Controllo sftp
-pippo:
Connected to .
sftp> bye
-pluto:
Connected to .
sftp> bye
-casa:
Connected to .
sftp> bye
-SMC:
Connected to .
sftp> bye
-Datalake:
Connected to .
sftp> bye
-Controllo System Log ultime 48h
no rows selected
i need to have all this log in one splunk event. with that configuration, splunk parse the log in two events:
BREAK_ONLY_BEFORE
and LINE_BREAKER
don't go together. Use LINE_BREAKER
when SHOULD_LINEMERGE
is false; otherwise, use BREAK_ONLY_BEFORE
. Try these props.
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data\:\s
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data\:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
i have rebooted splunk but doesn't work.. i don't know why.. i've never had this problems in props configuration. This log is produced by a shell script.. i need to modify it in some way for delete any "line break" or null value or something else for taking the entire log in an event?
BREAK_ONLY_BEFORE
and LINE_BREAKER
don't go together. Use LINE_BREAKER
when SHOULD_LINEMERGE
is false; otherwise, use BREAK_ONLY_BEFORE
. Try these props.
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data\:\s
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data\:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
Hi Rich, thank you per the answer but your solution doesn't work, the event is always divided into 2 parts.
Where is the break? Please show an example.
the event remain divided in the same point also changing the line breaker configuration advised by you
I asked a follow-up question a while ago, but it seems to have disappeared.
Is the last line of each event consistent? If so, we can use LINE_BREAKER = Controllo System Log \w+ \d+h([\r\n]+)Data:
i have use it but doesn't work.. the is parsed always in 2 events in the same point. at ever modify i restart the splunk service.
This log is produced by a shell script.. i need to modify it in some way for delete any "line break" or null value or something else for taking the entire log in an event?
Is there delay between writing "Processi" and writing "A is running"? If so, how long is that delay?
the delay is present in every section delimited by label ("PIPPO:" "PLUTO:" "CASA:") the delay is around 0.2 sec. if is this the problem, how can I solve this problem?
It may not be the problem, but it's possible. Try adding this to your inputs.conf file.
multiline_event_extra_waittime = true
it works!!!!! thank you ❤️
the log in divided in 2 events in this mode:
Data: 29052020160601
Numero file in /data/In/ = 0
Numero file in /data/In/IMS/ = 0
Numero file in /data/archive/ negli ultimi 15 min = 6
Processi
----------------DIVISION----------------
A is running
B is running
platform is running
-Controllo sftp
-PIPPO:
Connected to.
sftp> bye
-PLUTO:
Connected to
sftp> bye
-CASA:
Connected to
sftp> bye
-SMC:
Connected to
sftp> bye
-Datalake:
Connected to
sftp> bye
-Controllo System Log ultime 48h
no rows selected
can you try removing below from props.conf because it seems due to below event is getting divided-
BREAK_ONLY_BEFORE = ^Data\:\s\d{14}
LINE_BREAKER = ([\r\n]+)Data\:\s\d{14}
MAX_EVENTS = 256
if i removethe line breaker how splunk can know where needs to break the event?