Getting Data In

Why is my line breaking configuration for BREAK_ONLY_BEFORE in props.conf not working?

Communicator

I have the following two messages that are merging into one event in Splunk and I need to teach Splunk to break the event at the right spot

00286       #137   7:08:04.52 142 XXX00003: CONNECT  ***  TIME OUT  ***   7:08:02.36  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1       #137   7:08:05.02 142 XXX00008: CONNECT  ***  TIME OUT  ***   7:08:02.74  XXXPRD1    BRS3 010.226.194.025  8080    XXXXX-IDPRODV1

I need the line to break before #137 but my props for this condition is not working

BREAKONLYBEFORE=#137

Do I need a regex or this just the wrong way to address the issue?

Thanks!

1 Solution

Builder

I am not sure what the problem is, but try this:
BREAKONLYBEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

View solution in original post

Esteemed Legend

What are the timestamping and linebreaking settings for this source/type in props.conf (it makes a difference on how to answer)?

0 Karma

Communicator

I am using the following props

NOBINARYCHECK = true
SHOULDLINEMERGE = true
category = Custom
disabled = false
pulldown
type = true
BREAKONLYBEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}s\d{3}

The timestamp of the first event is detected by default so I don't have anything specific for the timestamp in props.

0 Karma

Builder

I am not sure what the problem is, but try this:
BREAKONLYBEFORE = #137\s{3}\d:\d{2}:\d{2}:\d{2}\s\d{3}

View solution in original post

Communicator

that did it - i needed a regex and a string match would not work - Thanks!

0 Karma

Builder

Nice. Good luck with your project.

0 Karma