Getting Data In
Highlighted

props.conf doesn't work properly

Explorer

Hi, Splunkers,

I have following data from UF to Splunk instance.

<< UDP-1128 Nocrypto.......
    REGISTER.....
    ......................
    ......................
    ......................
    ......................
    ......................
    ......................
    Content-Length: 0

it is from a same file's content, however, it is broken by the splunk each line like this :

<< UDP-1128 Nocrypto.......
REGISTER.....
...........................
Content-Length: 0

it makes me difficult to search the data.

I have already tried these config in the serveral location:
1. UF's $SPLUNK/etc/apps/[deploymentappname]/local/props.conf
2. the apps located in the Splunk instance at $SPLUNKHOME/etc/apps/[AppName]/local/props.conf
3. the props.conf at $SPLUNK_HOME/etc/system/local/props.conf

Here is the props.conf content:

[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_MERGE = true
BREAK_ONLY_BEFORE = \s+<<\sUDP-\d+\sNoCrypto
MUST_BREAK_AFTER = Content-Length


BREAK_ONLY_BEFORE = <regular expression>
* When set, Splunk creates a new event only if it encounters a new line that
  matches the regular expression.
* Defaults to empty.

MUST_BREAK_AFTER = <regular expression>
* When set and the regular expression matches the current line, Splunk
  creates a new event for the next input line.
* Splunk may still break before the current line if another rule matches.
* Defaults to empty.

The instrctions from "Configure ebent line breaking" doc
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Configureeventlinebreaking
and the "props.conf" doc 
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

But it doesn't work for the props.conf to merge the data into a multi line event.
Does anyone has suggestions? Thanks for replying 🙂

0 Karma
Highlighted

Re: props.conf doesn't work properly

Builder

It should be SHOULDLINEMERGE and not SHOULDMERGE

SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
  multi-line event, based on the following configuration attributes.
* Defaults to true.

# When SHOULD_LINEMERGE is set to true, use the following attributes to
# define how Splunk builds multi-line events.
Highlighted

Re: props.conf doesn't work properly

Explorer

I did right in the props.conf, it doesn't work still 😞

0 Karma
Highlighted

Re: props.conf doesn't work properly

Esteemed Legend

Try this:

[host::<host>]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ^\s*<<\s*UDP-\d+\s+

Save this to your indexers, restart all Splunk instances on your indexers and test by ONLY checking events that were indexed AFTER the restarts. Do note my implementation of comment by @dineshraj9!

Highlighted

Re: props.conf doesn't work properly

Explorer

I will try it later, and I will let you know the result. thanks!

0 Karma