Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the file without line feeds and carriage does not run?

gcusello
SplunkTrust
SplunkTrust
‎08-25-2018 03:46 AM

Hi at all,
I have a file without CR al LF to divide events.
I usually parsed these files without problems (e.g. SAP logs), but now I don't know why it doesn't run!
this is an example of my file

141.146.8.66 - - [13/Jan/2016 21:03:09:200] "POST /category.screen?category_id=SURPRISE&JSESSIONID=SD1SL2FF5ADFF3 HTTP 1.1" 200 3496 "http://www.myflowershop.com/cart.do?action=view&itemId=EST-16&product_id=RP-SN-01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 294&&&130.253.37.97 - - [13/Jan/2016 21:03:09:185] "GET /category.screen?category_id=BOUQUETS&JSESSIONID=SD7SL2FF1ADFF8 HTTP 1.1" 200 2320 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-12&product_id=AV-CB-01" "Opera/9.20 (Windows NT 6.0; U; en)" 361&&&141.146.8.66 - - [13/Jan/2016 21:03:09:167] "GET /product.screen?product_id=RP-LI-02&JSESSIONID=SD9SL9FF8ADFF1 HTTP 1.1" 200 3855 "http://www.myflowershop.com/cart.do?action=changequantity&itemId=EST-20&product_id=RP-LI-02" "Googlebot/2.1 ( http://www.googlebot.com/bot.html) " 929&&&

The end of an event is &&& .
I tried with SHOULD_LINEMERGE = true and false
I tried with LINE_BREAKING, MUST_BREAK_AFTER, BREAK_ONLY_BEFORE_DATE and BREAK_ONLY_BEFORE.
I tried to replace &&& with \n , but every time I continue to have only one event not divided.
Where I'm wrong? i know that it's a very stupid thing but I'm going mad!

Thank you in advance.

Bye.
Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-25-2018 09:37 AM

@cusello did you try LINE_BREAKING or LINE_BREAKER? Following setting works fine for me:

LINE_BREAKER=(&&&)

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Preview file
70 KB
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-25-2018 09:37 AM

@cusello did you try LINE_BREAKING or LINE_BREAKER? Following setting works fine for me:

LINE_BREAKER=(&&&)

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
70 KB
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2018 12:46 AM

Fantastic, as always!
but, only to understand: why must I use parenthesis?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-26-2018 04:27 AM

Anytime!!! Paranthesis makes it capturing group. 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...