Getting Data In

Looking for a good walk through on props.conf line breaking

daniel333
Builder

So I am messing with the output of nfsiostat. Been at this for a few hours now so maybe i Just need a break. I guess i just don't get how linebreaker is supposed to work. My mount names start with "slc..." so I want to break the mounts into their own event. How ever, no matter what setting I put in here it doens't seem to work.

here is my props.conf

[nfsiostat]
SHOULD_LINEMERGE = true
LINE_BREAKER = .*slc.*

Here is the output.
[me@servername default]# nfsiostat

slcd-nfs.domain.com:/vol/home mounted on /nas/path:

   op/s     rpc bklog
   0.02        0.00
read:             ops/s        kB/s       kB/op     retrans     avg RTT (ms)    avg exe (ms)
          0.000       0.005      50.130        0 (0.0%)      19.311      19.637
write:            ops/s        kB/s       kB/op     retrans     avg RTT (ms)    avg exe (ms)
          0.001       0.012      20.429        0 (0.0%)       2.913      27.751

slcd-nfs.domain.com:/vol/reg mounted on /nas/path:

   op/s     rpc bklog
   0.02        0.00
read:             ops/s        kB/s       kB/op     retrans     avg RTT (ms)    avg exe (ms)
          0.000       0.000       0.000        0 (0.0%)       0.000       0.000
write:            ops/s        kB/s       kB/op     retrans     avg RTT (ms)    avg exe (ms)
          0.000       0.000       0.000        0 (0.0%)       0.000       0.000

slcd-NFS.domain.com:/vol/utl mounted on /nas/path:

   op/s     rpc bklog
   0.02        0.00
read:             ops/s        kB/s       kB/op     retrans     avg RTT (ms)    avg exe (ms)
          0.000       0.013      64.058        0 (0.0%)       2.037       2.751
write:            ops/s        kB/s       kB/op     retrans     avg RTT (ms)    avg exe (ms)
          0.000       0.001       2.939        0 (0.0%)       3.816       3.906
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Two key things about LINE_BREAKER:
1) It must contain a capturing group.
2) The capturing group is "throw-away" text that comes between events.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ludoz13
Path Finder

Hi,

could you check this following conf ?

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=slcd

It seems to work when I view your extract logs on data preview (Settings -> add data -> upload some extract logs -> check, how splunk index your data )

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!