Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

linebreaking issue

ebailey
Communicator
‎07-27-2013 11:41 PM

I need some help getting Splunk to line break properly. I have a poorly formatted log file that is pulled from a mainframe so getting the formatting of the message changed would be extremely tough. I was hoping to use Splunk's built-in tools to handle the issue, but I cannot get this to work right at all.

Here is a sample event

20131992359247000|2013|199|235924|7000|7000|xxxx|xxxx|xxxx|xxxxxxx|xxxx|3101600002xx 02153604 |1|06|xx|U |00000000|205|xxxx - xxxxxxxxxxxxxxxxxxxxxx| |

I want to have every line break before

20131992359247000 (this is not a static value - it changes for every events)

but my regex is not working. Any suggestions

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-28-2013 03:23 PM 
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)20131992359247000

well, if it's not a static value, then you are going to have to say how it differs from every other line. i'm also assuming that you actually have multiple lines and that your problem is that you want to break at the beginning of a particular line that matches some pattern. So the question is, what is that pattern? And the answer to that is your regex. It would be helpful if you described it in words if you can't do so in regex. But let's say that it's just every line that starts with a 17-digit number, and then the pipe. Then it's just:

([\r\n]+)\d{17}\|

Or maybe it's more restrictive, and there are other lines with 17-digit numbers at the start that you don't want to break on. Or maybe the 17-digit number in the middle of the line. You need to say it, not make us guess.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-28-2013 03:23 PM 
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)20131992359247000

well, if it's not a static value, then you are going to have to say how it differs from every other line. i'm also assuming that you actually have multiple lines and that your problem is that you want to break at the beginning of a particular line that matches some pattern. So the question is, what is that pattern? And the answer to that is your regex. It would be helpful if you described it in words if you can't do so in regex. But let's say that it's just every line that starts with a 17-digit number, and then the pipe. Then it's just:

([\r\n]+)\d{17}\|

Or maybe it's more restrictive, and there are other lines with 17-digit numbers at the start that you don't want to break on. Or maybe the 17-digit number in the middle of the line. You need to say it, not make us guess.

Reply
Solved! Jump to solution

ebailey
Communicator
‎07-29-2013 08:25 PM

that is it - i almost had it right - Thanks!

0 Karma
Reply
Solved! Jump to solution

ddarmand
Communicator
‎07-29-2013 08:17 AM

use transform.conf to make a field ?

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎07-29-2013 06:54 AM

20131992359247000 is not a static value

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...