Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to split log file on non-standard date and special characters

ssaenger
Communicator
‎05-31-2017 05:58 AM

Hi All,

I have a log file that has a non standard date/time and special characters and i am trying to split the lines on the forwarder, however i cannot get Splunk to read anything less than 257 lines at a time!

My Log lines are as follows;

[Wed May 31 12:34:22.431862 2017] [:debug] [pid 10890] ils_util.c(615): SSS_DBG:[10890,55584809]:-  
+------------------- Start Of Request --------------------
| Id = 55584809,  SessionId = 1300,  Sid = 28716112
+---------------------------------------------------------
[Wed May 31 12:34:22.431867 2017] [:debug] [pid 10890] ils_util.c(618): SSS_DBG:[10890,55584809]:-  Start Of Request - Id = 55584809,  SessionId = 1300,  Sid = 28716112

my props.conf file is below

[int_error_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ^[\d{3}\s\d{3}\s\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}\s\d{4}]\s
MAX_TIMESTAMP_LOOKAHEAD = 35
TIME_PREFIX = ^

i have tried to use LINE_BREAKER=([+||]+) in order to deal with the special characters, however this resulted in even more lines per break.

thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2017 09:42 AM

First you need to setup the event parsing (line breaking, timestamp identification etc) on your indexers/heavy forwarders. If the instance monitoring this is Universal forwarders, then move the line breaking configurations to your Indexers/heavy forwarders (a restart of Splunk would e needed).

Second, give this config a try

[int_error_log]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\[\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\.\d+)
TIME_PREFIX = ^\[\w+\s+
TIME_FORMAT = %b %d %H:%M:%S.%N %Y
MAX_TIMESTAMP_LOOKAHEAD = 27

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2017 09:42 AM

First you need to setup the event parsing (line breaking, timestamp identification etc) on your indexers/heavy forwarders. If the instance monitoring this is Universal forwarders, then move the line breaking configurations to your Indexers/heavy forwarders (a restart of Splunk would e needed).

Second, give this config a try

[int_error_log]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\[\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\.\d+)
TIME_PREFIX = ^\[\w+\s+
TIME_FORMAT = %b %d %H:%M:%S.%N %Y
MAX_TIMESTAMP_LOOKAHEAD = 27
0 Karma
Reply
Solved! Jump to solution

ssaenger
Communicator
‎06-14-2017 08:14 AM

Thanks somesoni2,
Worked perfectly 🙂 - apologies for delay in my reply have been away 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...