Getting Data In

Why does linebreaking regex have no capturing groups?

jackin
Path Finder

Hi

Need help to fix the below error

jackin_0-1683885511356.png

 My Props :

jackin_1-1683885571420.png


Sample events:

jackin_2-1683885624631.png

 

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

As the message says, the LINE_BREAKER attribute must contain a capture group (a set of parenthses).  Try LINE_BREAKER = ()^\{

You only need to specify LINE_BREAKER once in a stanza.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jackin
Path Finder

Thanks for reply @richgalloway 

When applying a linebreaker, all logs fall under a single line.

It is showing like Failed to parse timestamp Defaulting to file modtime

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Failing to parse timestamps is a different problem.  Please post a new question so this one can focus on the line breaking problem.

What do you mean by "all logs fall under a single line"?  The sample events appear to be multi-line.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jackin
Path Finder

Hi

after using the below props configuration , the same error as mentioned above is coming ..

SHOULD_LINEMERGE=false
LINE BREAKER=([\r\n]+){
NO BINARY CHECK-true
BREAK ONLY_BEFORE=^\{
CHARSET=UTF-8
disabled=false
KV MODE=json
MAX TIMESTAMP LOOKAHEAD=70
TIME PREFIX="(timeStamplevtime)"\s*: \s*"
TIME FORMAT=%Y-%m-%dT%I:%M:%S
TRUNCATE=999999

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Remove the BREAK_ONLY_BEFORE setting.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jackin
Path Finder

If I remove it. Logs are not breaking properly.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You shouldn't have both BREAK_ONLY_BEFORE and LINE_BREAKER in the same stanza.  Choose one or the other.  If you don't use LINE_BREAKER then SHOULD_LINEMERGE should be set to true.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Configureeventlinebreaking for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...