Splunk Enterprise

Event Line Break

JagsP
Explorer

Hello everyone,

Please check the below data :

ERROR 2024-08-09 14:19:22,707 email-slack-notification-impl-flow.BLOCKING @3372f96f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 5-03aca501-42b3-11ef-ad89-0a2944cc61cb] error.notification.details: {
"correlationId" : "5-03aca501-42b3-11ef-ad89-0a2944cc61cb",
"message" : "Error Details",
"tracePoint" : "FLOW",
"priority" : "ERROR",

}

ERROR 2024-08-09 14:19:31,389 email-slack-notification-impl-flow.BLOCKING @22feab4f] [processor: email-slack-notification-impl-flow/processors/2/route/0/processors/0; event: 38de9c30-49eb-11ef-8a9e-02cfc6727565] error.notification.details: {
"correlationId" : "38de9c30-49eb-11ef-8a9e-02cfc6727565",
"message" : "Error Details", 
"priority" : "ERROR",

}

The above 2 blocks of data are coming as one event but I want them to be 2 events each starting from keyword "Error".

Below is my props.config entry for same but not working:

applog_test]

DATETIME_CONFIG =

LINE_BREAKER = ([\r\n]+)

NO_BINARY_CHECK = true

category = Custom

disabled = false

pulldown_type = true

BREAK_ONLY_BEFORE = date

SHOULD_LINEMERGE = true

TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N

TIME_PREFIX=ERROR\s+

Please help how to fix this.

Thanks in advance!

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try these settings

[applog_test]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)ERROR
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ERROR\s+

Don't specify BREAK_ONLY_BEFORE_DATE if you want to break at something other than a date.  Also, don't use both BREAK_ONLY_BEFORE_DATE and LINE_BREAKER in the same stanza.  When using LINE_BREAKER, set SHOULD_LINEMERGE to false.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try these settings

[applog_test]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)ERROR
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ERROR\s+

Don't specify BREAK_ONLY_BEFORE_DATE if you want to break at something other than a date.  Also, don't use both BREAK_ONLY_BEFORE_DATE and LINE_BREAKER in the same stanza.  When using LINE_BREAKER, set SHOULD_LINEMERGE to false.

---
If this reply helps you, Karma would be appreciated.

JagsP
Explorer

Thanks @richgalloway The solution worked .

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

+1 on that. Whenever possible, don't use SHOULD_LINEMERGE=true. It's a very expensive setting causing Splunk to try to re-merge already split events into bigger ones. While it has some use in very specific border cases as a rule of thumb you should avoid using it completely. That's what proper LINE_BREAKER is for.

0 Karma

JagsP
Explorer

Thanks @richgalloway Trying it out now. will let you know if it works.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

My presentation about Data Onboarding for Helsinki UG. https://data-findings.com/wp-content/uploads/2024/04/Data-OnBoarding-2024-04-03.pdf 

It contains some hints and workflow how you could test data onboarding on your own workstation.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...