line breaking - regex and capturing group

pmr · ‎02-17-2011

Hello, Need some help on regex here, am sure i maybe making mistake here but..

trying to break these into seperate events by using LINE_BREAKER under props.conf

sample output of my event :

"datetime=26Aug2001","20:26:02","action=drop","fw_name=NFLcp.NFL.gov","dir=inbound","src=139.67.8.235","dst=139.203.160.214","bytes=48","rule=29","proto=tcp/http"
"datetime=26Aug2001","20:26:03","action=drop","fw_name=NFLcp.NFL.gov","dir=inbound","src=61.138.33.102","dst=139.203.13.45","bytes=48","rule=29","proto=tcp/http"

my props.conf LINE_BREAKER looks like this :

LINE_BREAKER = (tcp/http")

what's happening here is since this is capturing group, it doesnt get displayed in the actual event, looks like this : (without the tcp/http)

"datetime=26Aug2001","20:26:03","action=drop","fw_name=NFLcp.NFL.gov","dir=inbound","src=61.138.33.102","dst=139.203.13.45","bytes=48","rule=29","proto=

i tried using look-ahead like these but its still not working :

LINE_BREAKER = =(?=(tcp/http"))

LINE_BREAKER = =((?=tcp/http"))

any help on this ?

thanks pmr

gkanapathy · ‎02-17-2011

You probably want something more like:

LINE_BREAKER = ([\r\n]+)(?=\"datetime\=)

line breaking - regex and capturing group

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!