Getting Data In

props.conf doesn't work properly

ggssa2000
Explorer

Hi, Splunkers,

I have following data from UF to Splunk instance.

<< UDP-1128 Nocrypto.......
    REGISTER.....
    ......................
    ......................
    ......................
    ......................
    ......................
    ......................
    Content-Length: 0

it is from a same file's content, however, it is broken by the splunk each line like this :

<< UDP-1128 Nocrypto.......
REGISTER.....
...........................
Content-Length: 0

it makes me difficult to search the data.

I have already tried these config in the serveral location:
1. UF's $SPLUNK/etc/apps/[deployment_app_name]/local/props.conf
2. the apps located in the Splunk instance at $SPLUNK_HOME/etc/apps/[App_Name]/local/props.conf
3. the props.conf at $SPLUNK_HOME/etc/system/local/props.conf

Here is the props.conf content:

[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_MERGE = true
BREAK_ONLY_BEFORE = \s+<<\sUDP-\d+\sNoCrypto
MUST_BREAK_AFTER = Content-Length


BREAK_ONLY_BEFORE = <regular expression>
* When set, Splunk creates a new event only if it encounters a new line that
  matches the regular expression.
* Defaults to empty.

MUST_BREAK_AFTER = <regular expression>
* When set and the regular expression matches the current line, Splunk
  creates a new event for the next input line.
* Splunk may still break before the current line if another rule matches.
* Defaults to empty.

The instrctions from "Configure ebent line breaking" doc
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Configureeventlinebreaking
and the "props.conf" doc 
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

But it doesn't work for the props.conf to merge the data into a multi line event.
Does anyone has suggestions? Thanks for replying 🙂

0 Karma

woodcock
Esteemed Legend

Try this:

[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^\s*<<\s*UDP-\d+\s+

Save this to your indexers, restart all Splunk instances on your indexers and test by ONLY checking events that were indexed AFTER the restarts. Do note my implementation of comment by @dineshraj9!

ggssa2000
Explorer

I will try it later, and I will let you know the result. thanks!

0 Karma

dineshraj9
Builder

It should be SHOULD_LINEMERGE and not SHOULD_MERGE

SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
  multi-line event, based on the following configuration attributes.
* Defaults to true.

# When SHOULD_LINEMERGE is set to true, use the following attributes to
# define how Splunk builds multi-line events.

ggssa2000
Explorer

I did right in the props.conf, it doesn't work still 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...