Getting Data In
Highlighted

Opsec_lea not breaking even reliably

Communicator

i have the lea-loggrabber.sh script working well and reliably getting all new logs from checkpoint cma into splunk. I am starting to notice that about 10 messages per 24 hours are not breaking correctly. They end up being around 257 lines long before the event breaks.

how can i force the events to be broken reliably when imported by the lea-loggrabber.sh?

all events start with loc= and should end with \r\n

I have the sourcetype set in inputs.conf where the script is called

[script:///opt/splunkbeta/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh]
disabled = 0
sourcetype = checkpoint_firewall

I am attempting to set the linebreaking in the props.conf

[checkpoint_firewall]
TIME_PREFIX= time=
TIME_FORMAT= %d%b%Y %H:%M:%S
BREAK_ONLY_BEFORE=loc
#LINE_BREAKER = ([\r\n]+)(?=loc\=)
#LINE_BREAKER = ([\r\n])(?=loc\=)

You can see my attempts at forcing a new event in the comments above.

Any suggestions on how to force a linebreak for these events?

0 Karma
Highlighted

Re: Opsec_lea not breaking even reliably

Legend

It's probably just because of the default MAX_EVENTS setting of 256. Just add:

MAX_EVENTS=999999

to your props.conf rules for the sourcetype.

View solution in original post

Highlighted

Re: Opsec_lea not breaking even reliably

Communicator

If that gives me events that could have 9999999 lines in them, then i would want the opposite (MAXEVENTS=1). I think i solved it with the ALWAYSBREAK_BEFORE=loc (had to restart the splunk daemon).

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.