Getting Data In

props.conf and splitting events

nikhilmehra79
Path Finder

Hi ,

I am trying to break a event using props.conf but failing issues any help is appreciated:

My event stream generally starts with

Sat Apr 12 18:09:01 2014 PT : Opened Incident Details
.
.
.

.

I also want to use the time above and convert it to CT if possible, reason my indexers are in CT TZ where as my UF are in PT (hence above logs are written in PT TZ)

Also can i use the props.conf in UF (source of log file) as against indexer

I tried to use following in my indexer props.conf with no luck
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\w{3}\s+\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\s+\d{4}\s+\w{2}\s+\:\s)

P.S system has removed escape charcter here before s w and d

0 Karma

nikhilmehra79
Path Finder

ok thanks i think i was confused that you need line merge with BREAK_ONLY_BEFORE_DATE. Appreciate your response.
Though i got in another issue after this: I posted here any clue? on this
http://answers.splunk.com/answers/131518/summary-indexing-and-tz

0 Karma

linu1988
Champion

why would you require a line merge after that! The events are broken just before the date, isn't it what you require!

0 Karma

nikhilmehra79
Path Finder

qq : isnt the line merge would be required in this case and isnt that expensive ? not sure but this is what i was reading in DOCS

0 Karma

linu1988
Champion

BREAK_ONLY_BEFORE_DATE = [true|false]
use this in props.conf to get rid of any line_breaker.

0 Karma

nikhilmehra79
Path Finder

Line Breaker i think was required because i had more lines where i said ...actual events look like
Sat Apr 12 18:09:01 2014 PT : Opened Incident Details
Event 1 Info: Blah Blah
Description : Blah Blah Blah

Summary : Blah Blah Blah

Sat Apr 12 18:10:01 2014 PT : Opened Incident Details
Event 2 Info: Blah Blah
Description : Blah Blah Blah
Summary : Blah Blah Blah

0 Karma

nikhilmehra79
Path Finder

I fugured it out - i had got it working with same regex.

0 Karma

linu1988
Champion

splunk would directly recognize the timestamp. just add TZ in the props.conf.

Why is the line breaker required? could you please post more logs?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...