Splunk Enterprise

How to configure Props.conf to break the events only before a specific line?

AdsicSplunk
New Member

I have a requirement to merge multiple lines that are by default broken into multiple events by indexer, and make one event before a specific line comes. The sample log file data is given below:-

2018-03-05 15:23:03.123 [ISC.0038.0002D] <-- abcd-efgh-ijkl
2018-03-05 15:23:03.234 [ISC.0038.0002D] <-- Length=550
2018-03-05 15:23:03.345 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.456 [ISC.0038.0002D] <-- Connection: 1
2018-03-05 15:23:03.567 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:03.678 [ISC.0038.0002D] <-- Length=600
2018-03-05 15:23:03.789 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.890 [ISC.0038.0002D] <-- Connection: 2
2018-03-05 15:23:04.321 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:05.432 [ISC.0038.0002D] <-- Length=600
2018-03-05 15:23:06.542 [ISC.0038.0002D] <-- Host: localhost:7001

props.conf:-

[source::/opt/saggw101/IntegrationServer/instances/default/logs/server.log*]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3}\s[\w{3}.\d{4}.\d{4}\w{1}]\s\W{3}\s\w{4}:\s\w{9}:\d{4}

The above config is not working for me and the events that are created are multiple for each line. What I want is something like

Event 1:-
2018-03-05 15:23:03.345 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.456 [ISC.0038.0002D] <-- Connection: 1
2018-03-05 15:23:03.567 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:03.678 [ISC.0038.0002D] <-- Length=600

Event 2:-
2018-03-05 15:23:03.789 [ISC.0038.0002D] <-- Host: localhost:7001
2018-03-05 15:23:03.890 [ISC.0038.0002D] <-- Connection: 2
2018-03-05 15:23:04.321 [ISC.0038.0002D] <-- mnop-qrst-uvw-xyz
2018-03-05 15:23:05.432 [ISC.0038.0002D] <-- Length=600

Could anyone help me out with this?

Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @AdsicSplunk

Please try below config in props.conf on Indexer or Heavy Forwarder whichever comes first and then restart splunk

[source::/opt/saggw101/IntegrationServer/instances/default/logs/server.log*]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3}\s+\[\w+\.\d+\.\w+\]\s+\W{3}\s+Host:\s+\w+:\d+
BREAK_ONLY_BEFORE_DATE=false

View solution in original post

0 Karma

deepashri_123
Motivator

Hey AdsicSplunk,

You can try this:

[source::/opt/saggw101/IntegrationServer/instances/default/logs/server.log*]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
MUST_BREAK_AFTER = (Length)=\d+

Let me know if this helps!!

0 Karma

AdsicSplunk
New Member

Thank you deepashri_123, I tried the answer by harsmarvania57 and it worked for me.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @AdsicSplunk

Please try below config in props.conf on Indexer or Heavy Forwarder whichever comes first and then restart splunk

[source::/opt/saggw101/IntegrationServer/instances/default/logs/server.log*]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3}\s+\[\w+\.\d+\.\w+\]\s+\W{3}\s+Host:\s+\w+:\d+
BREAK_ONLY_BEFORE_DATE=false
0 Karma

AdsicSplunk
New Member

Thank you @harsmarvania57, This worked pretty well.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...