Solved: Opsec_lea not breaking even reliably

EricPartington · ‎03-12-2011

i have the lea-loggrabber.sh script working well and reliably getting all new logs from checkpoint cma into splunk. I am starting to notice that about 10 messages per 24 hours are not breaking correctly. They end up being around 257 lines long before the event breaks.

how can i force the events to be broken reliably when imported by the lea-loggrabber.sh?

all events start with loc= and should end with \r\n

I have the sourcetype set in inputs.conf where the script is called

[script:///opt/splunkbeta/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh]
disabled = 0
sourcetype = checkpoint_firewall

I am attempting to set the linebreaking in the props.conf

[checkpoint_firewall]
TIME_PREFIX= time=
TIME_FORMAT= %d%b%Y %H:%M:%S
BREAK_ONLY_BEFORE=loc
#LINE_BREAKER = ([\r\n]+)(?=loc\=)
#LINE_BREAKER = ([\r\n])(?=loc\=)

You can see my attempts at forcing a new event in the comments above.

Any suggestions on how to force a linebreak for these events?

gkanapathy · ‎03-12-2011

It's probably just because of the default MAX_EVENTS setting of 256. Just add:

MAX_EVENTS=999999

to your props.conf rules for the sourcetype.

View solution in original post

gkanapathy · ‎03-12-2011

It's probably just because of the default MAX_EVENTS setting of 256. Just add:

MAX_EVENTS=999999

to your props.conf rules for the sourcetype.

EricPartington · ‎03-13-2011

If that gives me events that could have 9999999 lines in them, then i would want the opposite (MAX_EVENTS=1). I think i solved it with the ALWAYS_BREAK_BEFORE=loc (had to restart the splunk daemon).

Opsec_lea not breaking even reliably

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)