Getting Data In

Opsec_lea not breaking even reliably


i have the script working well and reliably getting all new logs from checkpoint cma into splunk. I am starting to notice that about 10 messages per 24 hours are not breaking correctly. They end up being around 257 lines long before the event breaks.

how can i force the events to be broken reliably when imported by the

all events start with loc= and should end with \r\n

I have the sourcetype set in inputs.conf where the script is called

disabled = 0
sourcetype = checkpoint_firewall

I am attempting to set the linebreaking in the props.conf

TIME_FORMAT= %d%b%Y %H:%M:%S
#LINE_BREAKER = ([\r\n]+)(?=loc\=)
#LINE_BREAKER = ([\r\n])(?=loc\=)

You can see my attempts at forcing a new event in the comments above.

Any suggestions on how to force a linebreak for these events?

0 Karma

Re: Opsec_lea not breaking even reliably


It's probably just because of the default MAX_EVENTS setting of 256. Just add:


to your props.conf rules for the sourcetype.

View solution in original post


Re: Opsec_lea not breaking even reliably


If that gives me events that could have 9999999 lines in them, then i would want the opposite (MAXEVENTS=1). I think i solved it with the ALWAYSBREAK_BEFORE=loc (had to restart the splunk daemon).

0 Karma