Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Testing props.conf file of app in $SPLUNK_HOME/etc/apps/my_app/local

kuokhoet
New Member
‎11-20-2017 12:12 PM

I am having some issues breaking a multiline event properly. Each event starts with a 'Date ...' string that I can use as an event break so I used the web app to create a sourcetype that uses the regex Date.* to separate out the event. I loaded some dummy data events and they were all broken into 1 line each instead of the entire event of 10+ lines.

I've played with the splunk cli test sourcetype but could not figure out how to specify the app context. Is there a way to test out the app's .conf file besides loading and reloading my test data in? I'm doing all of this on a single server instance.

Tags (2)
0 Karma
Reply

kuokhoet
New Member
‎11-27-2017 06:50 AM

Here's a generic template for the event. The "Date/Time" line is where I'd like to break the events.

Date/Time: mm/dd/YY HH:MM:SS AM/PM
Field :
Field :
Field :
...

Raw data:
[hex]
[hex]
[hex]
...

0 Karma
Reply

afamoyib
Path Finder
‎11-21-2017 01:52 PM

I make use of notepad ++ to test regex i develop. One other thing i will suggest is having your own personal playground, and deploy logs to that playground under the new sourcetype. You can always just wipe the index of your own playground when you are done with it

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2017 08:40 AM

Hi kuokhoet,
having an example of your logs I'd help you better.
Anyway, if your date start from the beginning of a log event, put in your props, in the stanza of the related sourcetype:

TIME_PREFIX = ^
TIME_FORMAT = your_format

Bye.
Giuseppe

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-21-2017 08:33 AM

Hi
Can you share sample events and configurations for breakline?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...