Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

line-break issues in events

fisuser1
Contributor
‎05-17-2017 04:52 AM

I'm having issues with line break for some reason. I'm looking to break into individual line events. I've included the following in the specific apps props.conf. Any suggestions?

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

raw data
y8200|ACH-NEW-R|05/16/2017|7|1|5|881.24|3|50.24|INC_ACH-NEW-R3-0516.PBS|05/16/2017|2|397|
y8200|ACH-NEW-R|05/16/2017|8|1|0|0.00|1|412.00|INC_ACH-NEW-R4-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|1|1|27332|19348046.77|11142|10812534.28|INC_ACH-R1-0516.PBS|05/16/2017|5|33|
y8200|ACH-R|05/16/2017|2|1|43093|106558388.19|40396|117051987.96|INC_ACH-R2-0516.PBS|05/16/2017|||
y8200|ACH-R|05/16/2017|3|1|14949|6935959.69|5846|5575650.96|INC_ACH-R3-0516.PBS|05/16/2017||0|
y8200|ACH-R|05/16/2017|4|1|11145|2342435.86|4304|5653510.66|INC_ACH-R4-0516.PBS|05/16/2017|||

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

aakwah
Builder
‎05-17-2017 06:12 AM

Hello,

According to docs what you are doing should work fine, however it doesn't work for me as well.

For sample logs you have provided, the following worked fine:

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)

Regards

View solution in original post

Reply
Solved! Jump to solution

aakwah
Builder
‎05-19-2017 01:00 AM

I gave a try again with LINE_BREAKER = ([\r\n]+) and It worked fine on version 6.5.3

0 Karma
Reply
Solved! Jump to solution
Solution

aakwah
Builder
‎05-17-2017 06:12 AM

Hello,

According to docs what you are doing should work fine, however it doesn't work for me as well.

For sample logs you have provided, the following worked fine:

props.conf
[SPLUNK_INCL_DATA.DAT]
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ($)

Regards

Reply
Solved! Jump to solution

gvnd
Path Finder
‎05-19-2017 06:14 AM

working fine, But how.? could you please explain.?

Thanks in advance

0 Karma
Reply
Solved! Jump to solution

khalidewaidah
Explorer
‎06-30-2017 04:18 PM

Hi ,
1- Where is props.conf stored & let me know this change will impact all logs or specific log .
2- Can I enforce splunk to monitor log line by line using input.conf

0 Karma
Reply
Solved! Jump to solution

prathapkcsc
Explorer
‎06-30-2017 04:24 PM

props.conf file location : $SPLUNK_HOME/etc/system/local
Inside the directory you find props.conf,in case if you don't have create new one with props.conf name.
Place that code inside file after restart the splunkd service.

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-19-2017 07:00 AM

Hello,
$ matches the end of the line, it is working the same like ^ with start of the line
Regards

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-17-2017 05:49 AM

You need to:

  • Make sure that the sourcetype in the stanza header matches EXACTLY the sourcetype of your data.
  • Deploy this to each of your indexers
  • Restart splunk on each indexer
  • Test by searching ONLY against data indexed AFTER the deploy/restart (old data will stay broken)
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...