Getting Data In

Multiline FTP log

ngvella
Explorer

I've got windows FTP logs that are multiline that look like:

00:00:10 127.0.0.1  [57708]USER 123456 331 0 0 0 0 FTP
00:00:11 127.0.0.1  [57708]PASS - 230 0 0 0 1078 FTP
00:00:11 127.0.0.1  [57708]created /test.txt 226 0 0 11051 94 FTP
00:00:11 127.0.0.1  [57708]QUIT - 226 0 0 0 0 FTP
00:00:57 127.0.0.1  [57728]USER 123456 331 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]PASS - 230 0 0 0 1532 FTP
00:00:58 127.0.0.1  [57728]CWD inbox 250 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]CWD ~ 250 0 0 0 0 FTP
00:00:59 127.0.0.1  [57728]CWD / 250 0 0 0 16 FTP
00:00:59 127.0.0.1  [57728]QUIT - 250 0 0 0 0 FTP

the bracketed number is like the session ID so i want to group all of those as 1 event. I tried linebreaking my props.conf with the following but it doesn't seem to be working. It's indexing around 200 lines (multiple session IDs) as one event.

[sourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = (\d\d:\d\d:\d\d .* \w\[\d+\]USER)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The \w in the BREAK_ONLY_BEFORE line appears to be causing matches to fail.

---
If this reply helps you, Karma would be appreciated.

ngvella
Explorer

Yeah i tested the regex out and it was definitely wrong, but i changed it to remove the \w and it's still indexing 257 lines per event.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...