Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Help with props for this sample log?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-25-2023
03:31 PM
Hi All,
below are the sample logs:
can i get props for this sample logs.
-------------------------------------------------------------
Time: 02/12/2021 01:45:05.777
Message: there is a exception error code gg456hhhrgh34567
type: application code
data: system
--------------------------------------------------------------------------------------------------------------------------
Time: 24/12/2021 01:45:05.777
Message: there is a exception error code 897fghj56879hgj
type: application code jobs
data: system jobs
-------------------------------------------------------------
-------------------------------------------------------------
Time: 28/12/2021 02:54:15.767
Message: there is a exception error code 89hjyt5643edhjjy656
type: application code error
data: system error
---------------------------------------------------------------------------------------------------
Timeline: 12/02/2021 12:44:32.667
Message Details - Application code contains error at 12/02/2021 11:30:00.212
----------------------------------------------------------------------------
Timeline: 23/02/2021 10:23:22.124
Message Details - Application code contains error at 12/02/2021 08:20:10.100
----------------------------------------------------------------------------
Timeline: 24/02/2021 10:20:12.667
Message Details - Application code contains error at 24/02/2021 07:10:23.112
--------------------------------------
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-26-2023
02:34 PM
If you want to keep the lines (I don't understand why, since they're of little value), then remove the SEDCMD and use this line breaker.
LINE_BREAKER = --+([\r\n]+)--+
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-25-2023
04:47 PM
What have you tried so far? How did work for you?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-25-2023
07:21 PM
i tried the blow props but ----- is coming down like this
[sourcetype]
LINE_BREAKER=[r\n]Timeline:\s\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{3}|Time:\s\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{3}
TIME_FORMAT=%d/%m/%Y %H:%M:%S.%3N
disabled=false
truncate=50000
MAX_TIMESTAMP_LOOKAHEAD=40
should_linemerge=false
Timeline: 23/02/2021 10:23:22.124
Message Details - Application code contains error at 12/02/2021 08:20:10.100
--------------------------------------
--------------------------------------Time: 02/12/2021 01:45:05.777
Message: there is a exception error code gg456hhhrgh34567
type: application code
data: system
-------------------------------------------------------------
-------------------------------------------------------------
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-26-2023
07:42 AM
Try these settings
[sourcetype]
LINE_BREAKER = ([\r\n]+)Time
TIME_FORMAT = %d/%m/%Y %H:%M:%S.%3N
disabled = false
TRUNCATE = 50000
MAX_TIMESTAMP_LOOKAHEAD = 40
SHOULD_LINEMERGE = false
SEDCMD-nodashes = s/--+//g
The original LINE_BREAKER setting was longer than it needed to be and didn't have a required capture group. The SEDCMD setting removes the lines of dashes.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-26-2023
10:52 AM
Hi @richgalloway ,
if we use SEDCMD the --- lines are disappearing but i want that lines should display like shown below.
how can i do that??
------------------------------------------------------------- Time: 02/12/2021 01:45:05.777 Message: there is a exception error code gg456hhhrgh34567 type: application code data: system -------------------------------------------------------------
------------------------------------------------------------- Time: 24/12/2021 01:45:05.777 Message: there is a exception error code 897fghj56879hgj type: application code jobs data: system jobs -------------------------------------------------------------
------------------------------------------------------------- Time: 28/12/2021 02:54:15.767 Message: there is a exception error code 89hjyt5643edhjjy656 type: application code error data: system error -------------------------------------------------------------
-------------------------------------- Timeline: 12/02/2021 12:44:32.667 Message Details - Application code contains error at 12/02/2021 11:30:00.212 --------------------------------------
-------------------------------------- Timeline: 23/02/2021 10:23:22.124 Message Details - Application code contains error at 12/02/2021 08:20:10.100 --------------------------------------
-------------------------------------- Timeline: 24/02/2021 10:20:12.667 Message Details - Application code contains error at 24/02/2021 07:10:23.112 --------------------------------------
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-26-2023
02:34 PM
If you want to keep the lines (I don't understand why, since they're of little value), then remove the SEDCMD and use this line breaker.
LINE_BREAKER = --+([\r\n]+)--+
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...
Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...
