Getting Data In

Why is LINE_BREAKER not working?

fitzgej_entrust
Engager

I'm having some issues getting my LINE_BREAKER configuration to work for a custom log file. I've tested the RegEx and it matches the beginning of every line, however it's still breaking extremely strangely. Here's the configuration we're running as well as a sample of the log.

The screenshot at the bottom is what it's actually doing.

 

 

MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %Y-%m-%d_%I%M %p
TIME_PREFIX = ^
TZ = MST
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}_\d{4} [A|P]M[\s\r\n]+\d{2}


---


2022-05-10_1120 AM 
10.12.14.3 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=0%
2022-05-10_1120 AM 
10.12.14.4 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=0%
2022-05-10_1120 AM 
10.12.14.5 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=0%
2022-05-10_1120 AM 
10.12.14.81 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=58%
2022-05-10_1120 AM 
10.12.14.82 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=73%
2022-05-10_1120 AM 
10.12.14.88 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=0%
2022-05-10_1120 AM 
10.12.14.91 
HSM device 0:	HSM in NORMAL MODE. RESPONDING. Usage Level=0%

 

 

 

fitzgej_entrust_0-1652291880535.png

 

 

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

On your indexer/heavy forwarder (whichever comes first)

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d{2}-\d{2}_\d{4} [A|P]M)
MAX_TIMESTAMP_LOOKAHEAD = 18
TIME_FORMAT = %Y-%m-%d_%I%M %p
TIME_PREFIX = ^
TZ = MST

View solution in original post

0 Karma

somesoni2
Revered Legend

Give this a try

On your indexer/heavy forwarder (whichever comes first)

[yourSourceType]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\d{4}-\d{2}-\d{2}_\d{4} [A|P]M)
MAX_TIMESTAMP_LOOKAHEAD = 18
TIME_FORMAT = %Y-%m-%d_%I%M %p
TIME_PREFIX = ^
TZ = MST
0 Karma

fitzgej_entrust
Engager

...I can not believe I was trying to run that on the Universal forwarder. Worked like a charm, and thank you for the catch there.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...