Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Help with props for this sample log?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-25-2023
03:31 PM
Hi All,
below are the sample logs:
can i get props for this sample logs.
-------------------------------------------------------------
Time: 02/12/2021 01:45:05.777
Message: there is a exception error code gg456hhhrgh34567
type: application code
data: system
--------------------------------------------------------------------------------------------------------------------------
Time: 24/12/2021 01:45:05.777
Message: there is a exception error code 897fghj56879hgj
type: application code jobs
data: system jobs
-------------------------------------------------------------
-------------------------------------------------------------
Time: 28/12/2021 02:54:15.767
Message: there is a exception error code 89hjyt5643edhjjy656
type: application code error
data: system error
---------------------------------------------------------------------------------------------------
Timeline: 12/02/2021 12:44:32.667
Message Details - Application code contains error at 12/02/2021 11:30:00.212
----------------------------------------------------------------------------
Timeline: 23/02/2021 10:23:22.124
Message Details - Application code contains error at 12/02/2021 08:20:10.100
----------------------------------------------------------------------------
Timeline: 24/02/2021 10:20:12.667
Message Details - Application code contains error at 24/02/2021 07:10:23.112
--------------------------------------
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-26-2023
02:34 PM
If you want to keep the lines (I don't understand why, since they're of little value), then remove the SEDCMD and use this line breaker.
LINE_BREAKER = --+([\r\n]+)--+
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-25-2023
04:47 PM
What have you tried so far? How did work for you?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-25-2023
07:21 PM
i tried the blow props but ----- is coming down like this
[sourcetype]
LINE_BREAKER=[r\n]Timeline:\s\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{3}|Time:\s\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{3}
TIME_FORMAT=%d/%m/%Y %H:%M:%S.%3N
disabled=false
truncate=50000
MAX_TIMESTAMP_LOOKAHEAD=40
should_linemerge=false
Timeline: 23/02/2021 10:23:22.124
Message Details - Application code contains error at 12/02/2021 08:20:10.100
--------------------------------------
--------------------------------------Time: 02/12/2021 01:45:05.777
Message: there is a exception error code gg456hhhrgh34567
type: application code
data: system
-------------------------------------------------------------
-------------------------------------------------------------
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-26-2023
07:42 AM
Try these settings
[sourcetype]
LINE_BREAKER = ([\r\n]+)Time
TIME_FORMAT = %d/%m/%Y %H:%M:%S.%3N
disabled = false
TRUNCATE = 50000
MAX_TIMESTAMP_LOOKAHEAD = 40
SHOULD_LINEMERGE = false
SEDCMD-nodashes = s/--+//g
The original LINE_BREAKER setting was longer than it needed to be and didn't have a required capture group. The SEDCMD setting removes the lines of dashes.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-26-2023
10:52 AM
Hi @richgalloway ,
if we use SEDCMD the --- lines are disappearing but i want that lines should display like shown below.
how can i do that??
------------------------------------------------------------- Time: 02/12/2021 01:45:05.777 Message: there is a exception error code gg456hhhrgh34567 type: application code data: system -------------------------------------------------------------
------------------------------------------------------------- Time: 24/12/2021 01:45:05.777 Message: there is a exception error code 897fghj56879hgj type: application code jobs data: system jobs -------------------------------------------------------------
------------------------------------------------------------- Time: 28/12/2021 02:54:15.767 Message: there is a exception error code 89hjyt5643edhjjy656 type: application code error data: system error -------------------------------------------------------------
-------------------------------------- Timeline: 12/02/2021 12:44:32.667 Message Details - Application code contains error at 12/02/2021 11:30:00.212 --------------------------------------
-------------------------------------- Timeline: 23/02/2021 10:23:22.124 Message Details - Application code contains error at 12/02/2021 08:20:10.100 --------------------------------------
-------------------------------------- Timeline: 24/02/2021 10:20:12.667 Message Details - Application code contains error at 24/02/2021 07:10:23.112 --------------------------------------
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-26-2023
02:34 PM
If you want to keep the lines (I don't understand why, since they're of little value), then remove the SEDCMD and use this line breaker.
LINE_BREAKER = --+([\r\n]+)--+
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
