Solved: props

abhi04 · ‎02-05-2024

Hi I am trying to divide the the logs into different evwnt based on below scenario:

I have one single event currently:

Issuer : hjlhjk

a: xyz

PrivateKey : abc

Issuer : dfjh

a: fhfh

PrivateKey : dsgd

Now I want it as two events:

event1:

Issuer : hjlhjk

a: xyz

PrivateKey : abc

event2:

Issuer : dfjh

a: fhfh

PrivateKey : dsgd

how can i get this?

I tried below line breaking which is not working

[sourcetype]
LINE_BREAKER = ([\r\n]+)(PrivateKey)

[sourcetype]
BREAK_ONLY_BEFORE = Issuer
SHOULD_LINEMERGE = false

scelikok · ‎02-05-2024

Hi @abhi04 ,

Can you please try below?

[sourcetype]
LINE_BREAKER = PrivateKey\s+:\s+\w+([\r\n]+)
SHOULD_LINEMERGE = false

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎02-05-2024

Hi @abhi04 ,

Can you please try below?

[sourcetype]
LINE_BREAKER = PrivateKey\s+:\s+\w+([\r\n]+)
SHOULD_LINEMERGE = false

If this reply helps you an upvote and "Accept as Solution" is appreciated.

abhi04 · ‎02-06-2024

Hi @scelikok I missed mentioning that Private key can be one of the below format:

format 1:

PrivateKey : abc.def.ghi.jkl

format 2:

PrivateKey :

Meaning it can be empty as well as in format 1

abhi04 · ‎02-05-2024

These logs are collected using scripted input using .bat file it has several lines in one events , I only showed 6 lines per event but the repetion is same with more lines in between privatekey and issuer

props

props.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?