Getting Data In

Opsec_lea not breaking even reliably


i have the script working well and reliably getting all new logs from checkpoint cma into splunk. I am starting to notice that about 10 messages per 24 hours are not breaking correctly. They end up being around 257 lines long before the event breaks.

how can i force the events to be broken reliably when imported by the

all events start with loc= and should end with \r\n

I have the sourcetype set in inputs.conf where the script is called

disabled = 0
sourcetype = checkpoint_firewall

I am attempting to set the linebreaking in the props.conf

TIME_FORMAT= %d%b%Y %H:%M:%S
#LINE_BREAKER = ([\r\n]+)(?=loc\=)
#LINE_BREAKER = ([\r\n])(?=loc\=)

You can see my attempts at forcing a new event in the comments above.

Any suggestions on how to force a linebreak for these events?

0 Karma

Re: Opsec_lea not breaking even reliably


It's probably just because of the default MAX_EVENTS setting of 256. Just add:


to your props.conf rules for the sourcetype.

View solution in original post


Re: Opsec_lea not breaking even reliably


If that gives me events that could have 9999999 lines in them, then i would want the opposite (MAXEVENTS=1). I think i solved it with the ALWAYSBREAK_BEFORE=loc (had to restart the splunk daemon).

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.