Getting Data In

Why is my line breaking configuration for BREAK_ONLY_BEFORE in props.conf not working?

ebailey
Communicator

I have the following two messages that are merging into one event in Splunk and I need to teach Splunk to break the event at the right spot

00286       #137   7:08:04.52 142 XXX00003: CONNECT  ***  TIME OUT  ***   7:08:02.36  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1       #137   7:08:05.02 142 XXX00008: CONNECT  ***  TIME OUT  ***   7:08:02.74  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1

I need the line to break before #137 but my props for this condition is not working

BREAK_ONLY_BEFORE=#137

Do I need a regex or this just the wrong way to address the issue?

Thanks!

1 Solution

edrivera3
Builder

I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

View solution in original post

woodcock
Esteemed Legend

What are the timestamping and linebreaking settings for this source/type in props.conf (it makes a difference on how to answer)?

0 Karma

ebailey
Communicator

I am using the following props

NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}s\d{3}

The timestamp of the first event is detected by default so I don't have anything specific for the timestamp in props.

0 Karma

edrivera3
Builder

I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

ebailey
Communicator

that did it - i needed a regex and a string match would not work - Thanks!

0 Karma

edrivera3
Builder

Nice. Good luck with your project.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...