Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

props.conf event breaks

aaronkorn
Splunk Employee
Splunk Employee
‎07-17-2013 06:30 AM

Hello,

We have the following format of a log starting with the first message in the log as Status_AdvCorrServerSerial = 0 then the last line of the event as RawCaptureTimeStamp = #, which we set at the timestamp. After the event in the format below there are 2 spaces between each event then it goes into the same format again.

Status_AdvCorrServerSerial = 0
50 Some lines of material...
RawCaptureTimeStamp = 1373987459
-new line-
-new line-
Status_AdvCorrServerSerial = 0
50 Some lines of material...
RawCaptureTimeStamp = 1373987459

Here is our props.conf but it does not seem to properly break on all events:

[ncpmonitor]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=Status_AdvCorrServerSerial =
TIME_PREFIX=RawCaptureTimeStamp =

Is there something additional I should add to account for the 2 spaces between events or does this props.conf entry look alright?

Thanks!

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎07-17-2013 11:52 AM

I would probably change the regexes a bit so that they are more flexible regarding the spacing:

[ncpmonitor]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=Status_AdvCorrServerSerial\s*=
TIME_PREFIX=RawCaptureTimeStamp\s*=\s*

Where exactly are the "spaces"? Are you talking about 2 blank lines between events or two spaces that sometimes appear at the beginning of the line with Status_AdvCorrServerSerial? Splunk should only break events at a line break when you are using BREAK_ONLY_BEFORE - it should break at the beginning of the line that matches.

Reply

lguinn2
Legend
‎07-17-2013 02:20 PM

You could also try

BREAK_ONLY_BEFORE=\s*Status_AdvCorrServerSerial\s*

It shouldn't make a difference, though.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎07-17-2013 01:04 PM

Beat me to it. One other thing is you may need to specify TIME_FORMAT=%s for the epoch time stamp recognition.

0 Karma
Reply

aaronkorn
Splunk Employee
Splunk Employee
‎07-17-2013 12:39 PM

Thanks for your post. The two spaces are between events. Ill give this a shot

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...