Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does linebreaking regex have no capturing groups?

jackin
Path Finder
‎05-12-2023 03:00 AM

Hi

Need help to fix the below error

jackin_0-1683885511356.png

 My Props :

jackin_1-1683885571420.png


Sample events:

jackin_2-1683885624631.png

 

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-12-2023 05:27 AM

As the message says, the LINE_BREAKER attribute must contain a capture group (a set of parenthses).  Try LINE_BREAKER = ()^\{

You only need to specify LINE_BREAKER once in a stanza.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jackin
Path Finder
‎05-12-2023 06:35 AM

Thanks for reply @richgalloway 

When applying a linebreaker, all logs fall under a single line.

It is showing like Failed to parse timestamp Defaulting to file modtime

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-12-2023 06:49 AM

Failing to parse timestamps is a different problem.  Please post a new question so this one can focus on the line breaking problem.

What do you mean by "all logs fall under a single line"?  The sample events appear to be multi-line.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jackin
Path Finder
‎05-18-2023 09:13 PM

Hi

after using the below props configuration , the same error as mentioned above is coming ..

SHOULD_LINEMERGE=false
LINE BREAKER=([\r\n]+){
NO BINARY CHECK-true
BREAK ONLY_BEFORE=^\{
CHARSET=UTF-8
disabled=false
KV MODE=json
MAX TIMESTAMP LOOKAHEAD=70
TIME PREFIX="(timeStamplevtime)"\s*: \s*"
TIME FORMAT=%Y-%m-%dT%I:%M:%S
TRUNCATE=999999

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2023 05:44 AM

Remove the BREAK_ONLY_BEFORE setting.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jackin
Path Finder
‎05-19-2023 05:47 AM

If I remove it. Logs are not breaking properly.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2023 08:08 AM

You shouldn't have both BREAK_ONLY_BEFORE and LINE_BREAKER in the same stanza.  Choose one or the other.  If you don't use LINE_BREAKER then SHOULD_LINEMERGE should be set to true.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Configureeventlinebreaking for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...