Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Monitoring Splunk
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Why does the Ping audit format break with props?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
04-19-2019
01:09 PM
The audit file has this format -
# 18/Apr/2019:14:59:38.341 -0500; ....
dn: dc=....
changetype: modify
replace: ds-sync-state
ds-sync-state: .....
# 18/Apr/2019:15:01:32.404 -0500; ....
dn: uid=Testing123,....
changetype: delete
# 18/Apr/2019:15:01:33.352 -0500; ....
dn: dc=....
changetype: modify
replace: ds-sync-state
ds-sync-state: .....
In props.conf I have -
[ldap:....]
disabled=false
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\#\s+\S+
TIME_FORMAT=%d/%b/%Y:%H:%M:%S.%3N %z
TIME_PREFIX=^\#\s+
MAX_TIMESTAMP_LOOKAHEAD=50
TRUNCATE=10000
The parsing doesn't always work and I end up with events with multiple lines such as -
# 18/Apr/2019:14:59:38.341 -0500; ....
This line should be only the starting line of each event.
What am I missing?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-19-2019
01:43 PM
Give this a try
[ldap:....]
disabled=false
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\s*\#\s+\d+\/\w+)
TIME_FORMAT=%d/%b/%Y:%H:%M:%S.%3N %z
TIME_PREFIX=^\s*#\s+
MAX_TIMESTAMP_LOOKAHEAD=30
TRUNCATE=10000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-19-2019
01:43 PM
Give this a try
[ldap:....]
disabled=false
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?=\s*\#\s+\d+\/\w+)
TIME_FORMAT=%d/%b/%Y:%H:%M:%S.%3N %z
TIME_PREFIX=^\s*#\s+
MAX_TIMESTAMP_LOOKAHEAD=30
TRUNCATE=10000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
04-22-2019
08:00 AM
Gorgeous @somesoni2 - what might have gone wrong with the original props set up? Does _internal capture incorrect set-ups, like my original one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-22-2019
08:14 AM
Main change I did was to update LINE_BREAKER to handle possible spaces before # in the raw data. Again, unless there is a syntax error, all regex are valid for Splunk and you'll not see any error (Splunk can't decide if you want to merge those events or not).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
04-22-2019
08:37 AM
Perfect - makes sense.
Get Updates on the Splunk Community!
Splunk Classroom Chronicles: Training Tales and Testimonials
Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...
Access Tokens Page - New & Improved
Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...
