Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Opsec_lea not breaking even reliably

EricPartington
Communicator
‎03-12-2011 04:57 PM

i have the lea-loggrabber.sh script working well and reliably getting all new logs from checkpoint cma into splunk. I am starting to notice that about 10 messages per 24 hours are not breaking correctly. They end up being around 257 lines long before the event breaks.

how can i force the events to be broken reliably when imported by the lea-loggrabber.sh?

all events start with loc= and should end with \r\n

I have the sourcetype set in inputs.conf where the script is called

[script:///opt/splunkbeta/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh]
disabled = 0
sourcetype = checkpoint_firewall

I am attempting to set the linebreaking in the props.conf

[checkpoint_firewall]
TIME_PREFIX= time=
TIME_FORMAT= %d%b%Y %H:%M:%S
BREAK_ONLY_BEFORE=loc
#LINE_BREAKER = ([\r\n]+)(?=loc\=)
#LINE_BREAKER = ([\r\n])(?=loc\=)

You can see my attempts at forcing a new event in the comments above.

Any suggestions on how to force a linebreak for these events?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-12-2011 05:11 PM

It's probably just because of the default MAX_EVENTS setting of 256. Just add:

MAX_EVENTS=999999

to your props.conf rules for the sourcetype.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-12-2011 05:11 PM

It's probably just because of the default MAX_EVENTS setting of 256. Just add:

MAX_EVENTS=999999

to your props.conf rules for the sourcetype.

Reply
Solved! Jump to solution

EricPartington
Communicator
‎03-13-2011 03:28 AM

If that gives me events that could have 9999999 lines in them, then i would want the opposite (MAX_EVENTS=1). I think i solved it with the ALWAYS_BREAK_BEFORE=loc (had to restart the splunk daemon).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...