I have the following two messages that are merging into one event in Splunk and I need to teach Splunk to break the event at the right spot
00286 #137 7:08:04.52 142 XXX00003: CONNECT *** TIME OUT *** 7:08:02.36 XXXPRD1 BRS3 010.226.194.025 8080 XXXXX-IDPRODV1 #137 7:08:05.02 142 XXX00008: CONNECT *** TIME OUT *** 7:08:02.74 XXXPRD1 BRS3 010.226.194.025 8080 XXXXX-IDPRODV1
I need the line to break before #137 but my props for this condition is not working
BREAK_ONLY_BEFORE=#137
Do I need a regex or this just the wrong way to address the issue?
Thanks!
I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}
What are the timestamping
and linebreaking
settings for this source/type in props.conf
(it makes a difference on how to answer)?
I am using the following props
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}s\d{3}
The timestamp of the first event is detected by default so I don't have anything specific for the timestamp in props.
I am not sure what the problem is, but try this:
BREAK_ONLY_BEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}
that did it - i needed a regex and a string match would not work - Thanks!
Nice. Good luck with your project.