Getting Data In

help with line-breaking

a212830
Champion

Hi,

I have a feed coming in from db connect, which I can't get to line-break properly.

My props is:
[Performance]
ANNOTATE_PUNCT = false
BREAK_ONLY_BEFORE = app_name="
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 160
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %m-%d-%Y %H:%M:%S
TIME_PREFIX = time="

And here's some samples... I'm still getting a fair amount of multi-line events, but they should be breaking at the app_name field.

app_name="Microphone volume control service" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=1.1640625
app_name="Local Session Manager Service" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent=0.029999999999999999 app_peak_mem_used_mb=2.6806640625
app_name="Google Chrome" user_name=JOESCHMOE@DMNX user=JOESCHMOE user_domain=DMNX machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=7 app_total_iops=180 app_total_cpu_percent=2.0600000000000001 app_peak_mem_used_mb=619.208984375
app_name="Entrust Entelligence Security Provider 9.1 for Outlook" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDMLA141056 time="06-01-2015 09:58:26" end_date=1433181506.000 app_load_count=0 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=2.541015625
app_name="DameWare Mini Remote Client Agent" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=2.1728515625
app_name="FMAPP Application" user_name=JOESCHMOE@DMNX user=JOESCHMOE user_domain=DMNX machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=1 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=2.50390625
app_name="Lenovo Auto Scroll Utility" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent=0.029999999999999999 app_peak_mem_used_mb=1
app_name="Intel® PROSet/Wireless WiFi Software" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent=0.28999999999999998 app_peak_mem_used_mb=4.0302734375
app_name="McAfee VirusScan Enterprise" user_name=SYSTEM user=SYSTEM user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=4.453125
app_name=PresentationFontCache.exe user_name="LOCAL SERVICE" user="LOCAL SERVICE" user_domain= machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=1.4921875
app_name="Desktop Window Manager" user_name=joeschmoe@DMNX user=JOESCHMOE user_domain=DMNX machine_name=INDCLA153484 time="06-01-2015 09:59:31" end_date=1433181571.000 app_load_count=0 app_total_iops= app_total_cpu_percent=0.41999999999999998 app_peak_mem_used_mb=48.6689453125
app_name="Print driver host for 32bit applications" user_name=marcyschmoe@dmnx user=MARYSCHMOE user_domain=DMNX machine_name=INDELA151114 time="06-01-2015 09:54:54" end_date=1433181294.000 app_load_count=0 app_total_iops= app_total_cpu_percent= app_peak_mem_used_mb=4.6904296875
0 Karma

woodcock
Esteemed Legend

Try this instead:

BREAK_ONLY_BEFORE = \s*app_name="
0 Karma

a212830
Champion

Thanks. Tried it - same results:

ANNOTATE_PUNCT = false
KV_MODE = auto
MAX_TIMESTAMP_LOOKAHEAD = 160
BREAK_ONLY_BEFORE= \s*app_name="
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %m-%d-%Y %H:%M:%S
TIME_PREFIX = time="
pulldown_type = 1
0 Karma

woodcock
Esteemed Legend

I am not sure why you would be having this problem but you should also change MAX_TIMESTAMP_LOOKAHEAD to 19, regardless. Do you need SHOULD_LINEMERGE = true? If not (i.e. all logs are always on a single line), change this to false and that should do it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...