Re: Testing props.conf file of app in $SPLUNK_HOME...

kuokhoet · ‎11-20-2017

I am having some issues breaking a multiline event properly. Each event starts with a 'Date ...' string that I can use as an event break so I used the web app to create a sourcetype that uses the regex Date.* to separate out the event. I loaded some dummy data events and they were all broken into 1 line each instead of the entire event of 10+ lines.

I've played with the splunk cli test sourcetype but could not figure out how to specify the app context. Is there a way to test out the app's .conf file besides loading and reloading my test data in? I'm doing all of this on a single server instance.

kuokhoet · ‎11-27-2017

Here's a generic template for the event. The "Date/Time" line is where I'd like to break the events.

Date/Time: mm/dd/YY HH:MM:SS AM/PM
Field :
Field :
Field :
...

Raw data:
[hex]
[hex]
[hex]
...

afamoyib · ‎11-21-2017

I make use of notepad ++ to test regex i develop. One other thing i will suggest is having your own personal playground, and deploy logs to that playground under the new sourcetype. You can always just wipe the index of your own playground when you are done with it

gcusello · ‎11-21-2017

Hi kuokhoet,
having an example of your logs I'd help you better.
Anyway, if your date start from the beginning of a log event, put in your props, in the stanza of the related sourcetype:

TIME_PREFIX = ^
TIME_FORMAT = your_format

Bye.
Giuseppe

kamlesh_vaghela · ‎11-21-2017

Hi
Can you share sample events and configurations for breakline?

Testing props.conf file of app in $SPLUNK_HOME/etc/apps/my_app/local

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk