Getting Data In

Multiline FTP log

ngvella
Explorer

I've got windows FTP logs that are multiline that look like:

00:00:10 127.0.0.1  [57708]USER 123456 331 0 0 0 0 FTP
00:00:11 127.0.0.1  [57708]PASS - 230 0 0 0 1078 FTP
00:00:11 127.0.0.1  [57708]created /test.txt 226 0 0 11051 94 FTP
00:00:11 127.0.0.1  [57708]QUIT - 226 0 0 0 0 FTP
00:00:57 127.0.0.1  [57728]USER 123456 331 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]PASS - 230 0 0 0 1532 FTP
00:00:58 127.0.0.1  [57728]CWD inbox 250 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]CWD ~ 250 0 0 0 0 FTP
00:00:59 127.0.0.1  [57728]CWD / 250 0 0 0 16 FTP
00:00:59 127.0.0.1  [57728]QUIT - 250 0 0 0 0 FTP

the bracketed number is like the session ID so i want to group all of those as 1 event. I tried linebreaking my props.conf with the following but it doesn't seem to be working. It's indexing around 200 lines (multiple session IDs) as one event.

[sourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = (\d\d:\d\d:\d\d .* \w\[\d+\]USER)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The \w in the BREAK_ONLY_BEFORE line appears to be causing matches to fail.

---
If this reply helps you, Karma would be appreciated.

ngvella
Explorer

Yeah i tested the regex out and it was definitely wrong, but i changed it to remove the \w and it's still indexing 257 lines per event.

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...