Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

props.conf event breaks

aaronkorn
Splunk Employee
Splunk Employee
‎07-17-2013 06:30 AM

Hello,

We have the following format of a log starting with the first message in the log as Status_AdvCorrServerSerial = 0 then the last line of the event as RawCaptureTimeStamp = #, which we set at the timestamp. After the event in the format below there are 2 spaces between each event then it goes into the same format again.

Status_AdvCorrServerSerial = 0
50 Some lines of material...
RawCaptureTimeStamp = 1373987459
-new line-
-new line-
Status_AdvCorrServerSerial = 0
50 Some lines of material...
RawCaptureTimeStamp = 1373987459

Here is our props.conf but it does not seem to properly break on all events:

[ncpmonitor]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=Status_AdvCorrServerSerial =
TIME_PREFIX=RawCaptureTimeStamp =

Is there something additional I should add to account for the 2 spaces between events or does this props.conf entry look alright?

Thanks!

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎07-17-2013 11:52 AM

I would probably change the regexes a bit so that they are more flexible regarding the spacing:

[ncpmonitor]
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=Status_AdvCorrServerSerial\s*=
TIME_PREFIX=RawCaptureTimeStamp\s*=\s*

Where exactly are the "spaces"? Are you talking about 2 blank lines between events or two spaces that sometimes appear at the beginning of the line with Status_AdvCorrServerSerial? Splunk should only break events at a line break when you are using BREAK_ONLY_BEFORE - it should break at the beginning of the line that matches.

Reply

lguinn2
Legend
‎07-17-2013 02:20 PM

You could also try

BREAK_ONLY_BEFORE=\s*Status_AdvCorrServerSerial\s*

It shouldn't make a difference, though.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎07-17-2013 01:04 PM

Beat me to it. One other thing is you may need to specify TIME_FORMAT=%s for the epoch time stamp recognition.

0 Karma
Reply

aaronkorn
Splunk Employee
Splunk Employee
‎07-17-2013 12:39 PM

Thanks for your post. The two spaces are between events. Ill give this a shot

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...