Hi,
How would I parse a file that has two linebreaking formats? The first is when the line begins and ends with asterisks (*), and the other is when they start with a date. The asterisk appears to be multi-line, and the date appears to be single-line.
Hi a212830,
Try something like the following for your props.conf:
BREAK_ONLY_BEFORE=^\*\*\s+\w+|^\[
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
The BREAK_ONLY_BEFORE is in two parts to have two separate event:
1. ^\*\*\s+\w+
- this is looking for a newline starting with 2 asterisk a space then a word
2. |^\[
- OR a square bracket at the start of a line.
Of course you can make this as complicated as you like depending on your events, but from what you have shown me the regex of ^\*\*\s+\w+|^\[
should work as an event break for your data.
Regards,
Vince
Hi a212830,
If you create you own source type and you use the BREAK_ONLY_BEFORE option to create a regex that will look for the two linebreaking formats:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf
Without knowing much more information on what you are currently working on, you could set it to something like:
BREAK_ONLY_BEFORE = (^*|^date)
Hope this helps, if you would like to provide some examples, I would be happy to help set up the props.conf file with you.
Regards,
Vince
Thanks.
I have lines like this:
*********** blah blah blah start of this event with no date/time stamp ***
stuff
stuff
********* blah blah blah end of this event
and lines like this
[10/29/12 6:40:34:438 EDT] 000001ae SystemErr R [Fatal Error] :-1:-1: Premature end of file.