Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk ignoring LINE_BREAKER

phemmer
Path Finder
‎01-13-2016 11:00 AM

I've configured a source type in props.conf with LINE_BREAKER = (\n+) to remove the \r from the default value. This was done so that we can send multi-line events using \r as the delimiter between lines, and \n as the delimiter between events.
The problem however is that splunk is still breaking messages into multiple events on the \r character.

Any ideas why?

Here's an example.
This screenshot is the tcpdump output of a 2-line message, where the second line should be this is line 2.

Here's the event as shown by the search app.

Here's the active sourcetype configuration:

The etc/system/local/props.conf on the indexer nodes:

[syslog]
LINE_BREAKER = (\n+)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phemmer
Path Finder
‎01-13-2016 06:39 PM

Figured it out.
We had an app which was doing transforms on syslog sources. However the regex it was using used .* to match all data, but . doesn't match carriage return (by default).
I tweaked the regex the app uses to add (?s) to set the regex flag letting it match.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phemmer
Path Finder
‎01-13-2016 06:39 PM

Figured it out.
We had an app which was doing transforms on syslog sources. However the regex it was using used .* to match all data, but . doesn't match carriage return (by default).
I tweaked the regex the app uses to add (?s) to set the regex flag letting it match.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎01-13-2016 11:13 AM

The sourcetype definition in your screenshot does not match what you list under etc/system/local/props.conf on the indexer nodes!? Looks like you have defined the sourcetype in the app called "AppsBrowser", can you share the props.conf file from etc/apps/appsBrowser/local, please?

Reply
Solved! Jump to solution

phemmer
Path Finder
‎01-13-2016 12:05 PM

@alemarzu sorry, looks like the screenshots broke. I uploaded them to an image host.

@ssievert: I don't know why that shows "AppsBrowser". I've never touched that. There is no etc/appsbrowser/local, and etc/appsbrowser/default has no props.conf.

@richgalloway: That is the default, so I just left it alone for now. However if SHOULD_LINEMERGE were causing a problem, there would be too many lines in a single event, which is the opposite of my problem.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2016 11:47 AM

The Admin manual says LINE_BREAKER should only be used when SHOULD_LINEMERGE=false. It also says BREAK_ONLY_BEFORE only applies if SHOULD_LINEMERGE=true so it doesn't make sense to have both LINE_BREAKER and BREAK_ONLY_BEFORE in the same sourcetype. Also, while LINE_BREAKER requires a capturing group there is no explicit requirement for a capturing group in BREAK_ONLY_BEFORE.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

alemarzu
Motivator
‎01-13-2016 11:09 AM

Hi there phemmer,

Would you mind to paste the sample data ?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...