Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line breaking doesn'twork and my event is divided in 2 events

laraspatavcogni
Engager
‎05-29-2020 02:47 AM

the log is parsed in bad way.
that's the props.conf:
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data:\s\d{14}
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 25

that's the log:

Data: 29052020113001
Numero file in /data/In/ = 0
Numero file in /data/In/IMS/ = 0
Numero file in /data/archive/ = 7
Processi:
a is running
b is running
platform is running
-Controllo sftp
-pippo:
Connected to .
sftp> bye
-pluto:
Connected to .
sftp> bye
-casa:
Connected to .
sftp> bye
-SMC:
Connected to .
sftp> bye
-Datalake:
Connected to .
sftp> bye
-Controllo System Log ultime 48h

no rows selected

i need to have all this log in one splunk event. with that configuration, splunk parse the log in two events:
alt text

Labels (1)
Labels
Preview file
36 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 06:37 AM

BREAK_ONLY_BEFORE and LINE_BREAKER don't go together. Use LINE_BREAKER when SHOULD_LINEMERGE is false; otherwise, use BREAK_ONLY_BEFORE. Try these props.

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data\:\s
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data\:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-29-2020 05:34 PM 
[ your_sourcetype ]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)Data:
NO_BINARY_CHECK=true
TIME_FORMAT=%d%m%Y%H%M%S
TIME_PREFIX=Data:\s
MAX_TIMESTAMP_LOOKAHEAD=14

props.conf
@richgalloway 's setting is right.
why don't you reboot splunk?

Preview file
190 KB
0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎06-01-2020 05:06 AM

i have rebooted splunk but doesn't work.. i don't know why.. i've never had this problems in props configuration. This log is produced by a shell script.. i need to modify it in some way for delete any "line break" or null value or something else for taking the entire log in an event?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 06:37 AM

BREAK_ONLY_BEFORE and LINE_BREAKER don't go together. Use LINE_BREAKER when SHOULD_LINEMERGE is false; otherwise, use BREAK_ONLY_BEFORE. Try these props.

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)Data\:\s
MAX_EVENTS = 256
TRUNCATE = 10000
TIME_PREFIX = ^Data\:\s
TIME_FORMAT = %d%m%Y%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎05-29-2020 06:46 AM

Hi Rich, thank you per the answer but your solution doesn't work, the event is always divided into 2 parts.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 07:05 AM

Where is the break? Please show an example.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎05-29-2020 08:10 AM

the event remain divided in the same point also changing the line breaker configuration advised by you

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2020 12:06 PM

I asked a follow-up question a while ago, but it seems to have disappeared.

Is the last line of each event consistent? If so, we can use LINE_BREAKER = Controllo System Log \w+ \d+h([\r\n]+)Data:

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎06-01-2020 04:53 AM

i have use it but doesn't work.. the is parsed always in 2 events in the same point. at ever modify i restart the splunk service.
This log is produced by a shell script.. i need to modify it in some way for delete any "line break" or null value or something else for taking the entire log in an event?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2020 05:42 AM

Is there delay between writing "Processi" and writing "A is running"? If so, how long is that delay?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎06-01-2020 05:57 AM

the delay is present in every section delimited by label ("PIPPO:" "PLUTO:" "CASA:") the delay is around 0.2 sec. if is this the problem, how can I solve this problem?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2020 07:02 AM

It may not be the problem, but it's possible. Try adding this to your inputs.conf file.

multiline_event_extra_waittime = true
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎06-01-2020 07:20 AM

it works!!!!! thank you ❤️

0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎05-29-2020 07:17 AM

the log in divided in 2 events in this mode:
Data: 29052020160601
Numero file in /data/In/ = 0
Numero file in /data/In/IMS/ = 0
Numero file in /data/archive/ negli ultimi 15 min = 6
Processi
----------------DIVISION----------------
A is running
B is running
platform is running
-Controllo sftp
-PIPPO:
Connected to.
sftp> bye
-PLUTO:
Connected to
sftp> bye
-CASA:
Connected to
sftp> bye
-SMC:
Connected to
sftp> bye
-Datalake:
Connected to
sftp> bye
-Controllo System Log ultime 48h
no rows selected

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎05-29-2020 03:32 AM

can you try removing below from props.conf because it seems due to below event is getting divided-

BREAK_ONLY_BEFORE = ^Data\:\s\d{14}
LINE_BREAKER = ([\r\n]+)Data\:\s\d{14}
MAX_EVENTS = 256
0 Karma
Reply
Solved! Jump to solution

laraspatavcogni
Engager
‎05-29-2020 03:39 AM

if i removethe line breaker how splunk can know where needs to break the event?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...