Multiline FTP log

ngvella · ‎02-03-2015

I've got windows FTP logs that are multiline that look like:

00:00:10 127.0.0.1  [57708]USER 123456 331 0 0 0 0 FTP
00:00:11 127.0.0.1  [57708]PASS - 230 0 0 0 1078 FTP
00:00:11 127.0.0.1  [57708]created /test.txt 226 0 0 11051 94 FTP
00:00:11 127.0.0.1  [57708]QUIT - 226 0 0 0 0 FTP
00:00:57 127.0.0.1  [57728]USER 123456 331 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]PASS - 230 0 0 0 1532 FTP
00:00:58 127.0.0.1  [57728]CWD inbox 250 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]CWD ~ 250 0 0 0 0 FTP
00:00:59 127.0.0.1  [57728]CWD / 250 0 0 0 16 FTP
00:00:59 127.0.0.1  [57728]QUIT - 250 0 0 0 0 FTP

the bracketed number is like the session ID so i want to group all of those as 1 event. I tried linebreaking my props.conf with the following but it doesn't seem to be working. It's indexing around 200 lines (multiple session IDs) as one event.

[sourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = (\d\d:\d\d:\d\d .* \w\[\d+\]USER)

richgalloway · ‎02-03-2015

The \w in the BREAK_ONLY_BEFORE line appears to be causing matches to fail.

---
If this reply helps you, Karma would be appreciated.

ngvella · ‎02-03-2015

Yeah i tested the regex out and it was definitely wrong, but i changed it to remove the \w and it's still indexing 257 lines per event.

Multiline FTP log

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Multiline FTP log

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk