Hi ,
I am trying to break a event using props.conf but failing issues any help is appreciated:
My event stream generally starts with
Sat Apr 12 18:09:01 2014 PT : Opened Incident Details
.
.
.
I also want to use the time above and convert it to CT if possible, reason my indexers are in CT TZ where as my UF are in PT (hence above logs are written in PT TZ)
Also can i use the props.conf in UF (source of log file) as against indexer
I tried to use following in my indexer props.conf with no luck
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\w{3}\s+\w{3}\s+\d{1,2}\s+\d{2}\:\d{2}\:\d{2}\s+\d{4}\s+\w{2}\s+\:\s)
P.S system has removed escape charcter here before s w and d
ok thanks i think i was confused that you need line merge with BREAK_ONLY_BEFORE_DATE. Appreciate your response.
Though i got in another issue after this: I posted here any clue? on this
http://answers.splunk.com/answers/131518/summary-indexing-and-tz
why would you require a line merge after that! The events are broken just before the date, isn't it what you require!
qq : isnt the line merge would be required in this case and isnt that expensive ? not sure but this is what i was reading in DOCS
BREAK_ONLY_BEFORE_DATE = [true|false]
use this in props.conf to get rid of any line_breaker.
Line Breaker i think was required because i had more lines where i said ...actual events look like
Sat Apr 12 18:09:01 2014 PT : Opened Incident Details
Event 1 Info: Blah Blah
Description : Blah Blah Blah
Sat Apr 12 18:10:01 2014 PT : Opened Incident Details
Event 2 Info: Blah Blah
Description : Blah Blah Blah
Summary : Blah Blah Blah
I fugured it out - i had got it working with same regex.
splunk would directly recognize the timestamp. just add TZ in the props.conf.
Why is the line breaker required? could you please post more logs?