Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

MUST_BREAK_AFTER seems ignored

viraptor
New Member
‎05-18-2017 12:14 AM

I've got the following in the log file:

[80c729cb-d0fd-48a1-bdc8-f46219bce681] signed_in_user=abcdef
[80c729cb-d0fd-48a1-bdc8-f46219bce681] session_id=abcdef
[80c729cb-d0fd-48a1-bdc8-f46219bce681] method="GET" path="/cart" format="html"....

Only the last line format is known. The initial lines can contain any format. Otherwise, they will all start with the same uuid.

And the following settings for props:

[rails_lograge]
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = false
KV_MODE = auto_escaped
MAX_TIMESTAMP_LOOKAHEAD = 250
MUST_BREAK_AFTER = \[[-0-9a-f]*\] method="[A-Z].*
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SHOULD_LINEMERGE = true
TIME_PREFIX = time="

The log uses the correct sourcetype, however I cannot get the line merging to work as expected. Each line is a separate entry in the search output and it looks like the SHOULD_LINEMERGE is just ignored, along with MUST_BREAK_AFTER.

What can I do to make these lines a single event?

(I'm using Splunk 6.1)

0 Karma
Reply

aakwah
Builder
‎05-18-2017 04:51 AM

Hello,

I've never used "MUST_BREAK_AFTER" before, you can use BREAK_ONLY_BEFORE instead, for the sample logs you have provided, the following conf. in props.conf is working fine:

 [rails_lograge]
 BREAK_ONLY_BEFORE = \[[-0-9a-f]*\] signed.*
 BREAK_ONLY_BEFORE_DATE = false
 KV_MODE = auto_escaped
 MAX_TIMESTAMP_LOOKAHEAD = 250
 SHOULD_LINEMERGE = true
 TIME_PREFIX = time="

Regards

0 Karma
Reply

viraptor
New Member
‎05-18-2017 04:48 PM

This doesn't really fix my issue. I've got any number of different key-value pairs before the last line. They can be in any order and there isn't any known initial entry. The only known line is the last one.

0 Karma
Reply

aakwah
Builder
‎05-19-2017 12:39 AM

I gave a try again with your configuration in the question and it worked fine on version 6.5.3

I see that you are using version 6.1 this it could be the reason, and also it is not working on 6.2 as per the first test I did.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...