Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to break events for the following search?

rukshar
Loves-to-Learn Everything
‎08-03-2023 08:43 AM

Hi Everyone,Could you please help me break below events 

Expected Events:

Subject : ABCD
FriendlyName : ABCD
Issuer : ABCD
Thumbprint : 3CBB2CACD16
NotAfter : 2025
Expires in (Days) : 0
ForSplunk : Break



Events which is getting received:

NotAfter : 2025
Expires in (Days) : 0
ForSplunk : Break
Subject : ABCD
FriendlyName :ABCD
Issuer : ABCD
Thumbprint :3CBB2CACD16

Subject : ABCD
FriendlyName :ABCD
Issuer : ABCD
Thumbprint : 3CBB2CACD16
NotAfter : 2025
Expires in (Days) : 68
ForSplunk : Break



I want my Events to break after FOR SPLUNK : BREAK but its creating issue for some of the events and not for all.I dont know why its working in some cases and not working in some of the cases.

 

This is there in my props.conf

[MY-SOURCETYPE]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
pulldown_type = 1
TIME_FORMAT = %Y-%m-%d_%H:%M:%S_%p
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = Break
disabled = false
Labels (2)
Tags (2)
0 Karma
Reply

rukshar
Loves-to-Learn Everything
‎08-04-2023 08:23 AM

I tried the given props.conf but no luck 😞

The events are not breaking after BREAK 

Any suggestion further would be appreaciated . Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2023 11:32 AM

Try using LINE_BREAKER to break events before "SUBJECT" (the apparent start of an event).

[MY-SOURCETYPE]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)SUBJECT
NO_BINARY_CHECK = true
category = custom
pulldown_type = 1
TIME_FORMAT = %Y-%m-%d_%H:%M:%S_%p
SHOULD_LINEMERGE = false
disabled = false

You have TIME_FORMAT specified, but I don't see TIME_PREFIX.  They usually go together.  Nor do I see a timestamp in the sample events so perhaps TIME_FORMAT is not needed.

 

---
If this reply helps you, Karma would be appreciated.
Reply

rukshar
Loves-to-Learn Everything
‎08-03-2023 11:25 PM

Expected EventsExpected Events

 

1cacd6f2-5f44-42fd-8061-a94150a11c77.png



Thanks @richgalloway for your response 
However I have timestamp in my sample events . PFA images for more clear picture 
Could you please let me know what would be the TIME_PREFIX in this case then.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2023 05:14 AM

I still do not see a timestamp in the events.  Splunk has assigned a value to _time for each event, but that does not mean the raw data contains a time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...