Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing of log using UF

mukhan1
Explorer
‎11-27-2023 03:57 AM

Hello Team,

I was trying to parse my data by updating props.conf file i have created this file in (C:\Program Files\SplunkUniversalForwarder\etc\system\local\props.conf) 

[t24protocollog]
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
LINE_BREAKER=^@ID[\s\S]*?REMARK.*$
NO_BINARY_CHECK=true
disabled=false

by using above configuration file. 
When I'm using the regex it separate each line as a event instead of defining starting and endpoint of event. I checked this regex on regex 101 it is giving me proper result on regex101.com but not on Splunk. Attaching the screenshot how my logs are showing on SPLUNK GUI.

Below is the content of log file.
--------------------------------------

LIST F.PROTOCOL @ID PROTOCOL.ID PROCESS.DATE TIME.MSECS K.USER APPLICATION LEVEL.FUNCTION ID REMARK PAGE 1 11:34:02 23 NOV 2023

@ID............ 202403.16
@ID............ 202403.16
PROTOCOL.ID.... 202403.16
PROCESS.DATE... 20230926
TIME.MSECS..... 11:15:23:649
K.USER......... INPUTTER
APPLICATION.... DC.ENTRY
LEVEL.FUNCTION. 1
ID.............
REMARK......... QUIRY - AC.REPORT

@ID............ 202303.16
@ID............ 202303.16
PROTOCOL.ID.... 202303.16
PROCESS.DATE... 20230926
TIME.MSECS..... 11:15:23:649
K.USER......... INPUTTER
APPLICATION.... AC.ENTRY
LEVEL.FUNCTION. 1
ID.............
REMARK......... ENQUIRY - AC.REPORT

Kindly do let me know if im doing anything wrong, need to parse the log file.

Labels (1)
Labels
Preview file
140 KB
0 Karma
Reply

mukhan1
Explorer
‎11-27-2023 04:16 AM

Hello @gcusello ,

Thanks for your response, however I manually uploaded my sample logs the problem is when I'm providing the regex for event breaker it shows me result on each line making every line as event. I've uploaded the SS how it is showing me data you can see the attached file. 

Also you can take below sample logs 

LIST F.PROTOCOL @ID PROTOCOL.ID PROCESS.DATE TIME.MSECS K.USER APPLICATION LEVEL.FUNCTION ID REMARK PAGE 1 11:34:02 23 NOV 2023

@ID............ 202403.16
@ID............ 202403.16
PROTOCOL.ID.... 202403.16
PROCESS.DATE... 20230926
TIME.MSECS..... 11:15:23:649
K.USER......... INPUTTER
APPLICATION.... DC.ENTRY
LEVEL.FUNCTION. 1
ID.............
REMARK......... QUIRY - AC.REPORT

@ID............ 202303.16
@ID............ 202303.16
PROTOCOL.ID.... 202303.16
PROCESS.DATE... 20230926
TIME.MSECS..... 11:15:23:649
K.USER......... INPUTTER
APPLICATION.... AC.ENTRY
LEVEL.FUNCTION. 1
ID.............
REMARK......... ENQUIRY - AC.REPORT

by using this regex "^@ID[\s\S]*?REMARK.*$" i'm getting correct data on regex101. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2023 04:04 AM

Hi @mukhan1,

at first parsing is done on Indexers or (when present) on Heavy Forwarders, never on Universal Forwarders.

the only exception are INDEXED_EXTRACTIONS (as e.g. csv) where parsing starts on UF.

Anyway, see if it already exists an add-on for the technology you want to parse.

Then my hint is to take a sample of your logs and manually uoload it in your Splunk (using the Add Data feature) so you can use the guided sourcetype creation.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...