Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing - Chrome Log

serviceinfrastr
Explorer
‎09-19-2018 11:30 PM

Hi Community,

We have some issue with one of our cloud product and we need to collect our chrome browser log.

So we havea log file like this :

[2368:3448:0911/104129.306:INFO:CONSOLE(9006)] "Handling message type", source: https://dhqbrvplips7x.cloudfront.net/directory/5039/assets/web-directory-7ffa5c07600e16c16ba36787264... (9006)
[2368:3448:0911/104129.331:INFO:CONSOLE(9006)] "Handling message type", source: https://dhqbrvplips7x.cloudfront.net/directory/5039/assets/web-directory-7ffa5c07600e16c16ba36787264... (9006)
[2368:3448:0911/104129.353:INFO:CONSOLE(9006)] "Handling message type", source: https://dhqbrvplips7x.cloudfront.net/directory/5039/assets/web-directory-7ffa5c07600e16c16ba36787264... (9006)
[2368:3448:0911/104129.366:INFO:CONSOLE(9006)] "Handling message type", source: https://dhqbrvplips7x.cloudfront.net/directory/5039/assets/web-directory-7ffa5c07600e16c16ba36787264... (9006)
[2368:3448:0911/104140.068:INFO:CONSOLE(9013)] "STASH-LOGGER: sendLogTraces", source: https://dhqbrvplips7x.cloudfront.net/directory/5039/assets/web-directory-7ffa5c07600e16c16ba36787264... (9013)
[2368:3448:0911/104150.489:INFO:CONSOLE(372)] "Other topic: 
{
    "topicName": "channel.metadata",
    "eventBody": {
        "message": "WebSocket Heartbeat"
    }
}", source: chrome-extension://bkmeadpinckobiapkihcoenmipobdaio/background/background.js (372)
[2368:3448:0911/104150.499:INFO:CONSOLE(312)] "Sending ping WS healthcheck", source: chrome-extension://bkmeadpinckobiapkihcoenmipobdaio/background/background.js (312)
[2368:3448:0911/104150.519:INFO:CONSOLE(372)] "Other topic: 
{
    "topicName": "channel.metadata",
    "eventBody": {
        "message": "pong"
    }
}", source: chrome-extension://bkmeadpinckobiapkihcoenmipobdaio/background/background.js (372)
[2368:3448:0911/104150.519:INFO:CONSOLE(374)] "Pong WS healthcheck received.", source: chrome-extension://bkmeadpinckobiapkihcoenmipobdaio/background/background.js (374)

I made this props.conf but it's not correct in my search

My props.conf

[chrome:log]
LINE_BREAKER=^\[\d+.\d+:\d+\/\d+.
CHARSET=latin-1
SHOULD_LINEMERGE=true
TIME_FORMAT=%m%d/%H%M%S.%3N
category=Miscellaneous
description=A common log format with a predefined timestamp. Customize timestamp in "Timestamp" options
disabled=false
pulldown_type=true
TIME_PREFIX=\[\d+.\d+

But in my search i have again 2 or more line by events (like this) :

alt text

Can you help me 🙂

Many Thanks

Preview file
84 KB
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2018 05:59 AM

The LINE_BREAKER attribute requires a capture group. Also, I think the TIME_PREFIX setting doesn't match your events. Try these settings.

[chrome:log]
LINE_BREAKER=([\r\n]+)\[\d+.\d+:\d+\/\d+.
CHARSET=latin-1
SHOULD_LINEMERGE=false
TIME_FORMAT=%m%d/%H%M%S.%3N
disabled=false
TIME_PREFIX=\[\d+:\d+:
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2018 05:59 AM

The LINE_BREAKER attribute requires a capture group. Also, I think the TIME_PREFIX setting doesn't match your events. Try these settings.

[chrome:log]
LINE_BREAKER=([\r\n]+)\[\d+.\d+:\d+\/\d+.
CHARSET=latin-1
SHOULD_LINEMERGE=false
TIME_FORMAT=%m%d/%H%M%S.%3N
disabled=false
TIME_PREFIX=\[\d+:\d+:
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

serviceinfrastr
Explorer
‎09-21-2018 05:38 AM

Hi richgalloway

Thanks for your help this is perfect !!!

So another issue in my side was a permission on my Splunk TA folder, so it was not replicated to the indexer.

All is ok now

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-21-2018 06:03 AM

@serviceinfrastructure, If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...