Splunk Enterprise

Line breaking using props.conf

RanjithaN99
Explorer

{"body":"2024-04-29T20:25:08.175779 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XX Logon Failed: Anonymous\n2024-04-29T20:25:10.190339 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-29T20:25:10.241220 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-29T20:25:10.342343 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n","x-opt-sequence-number-epoch":-1,"x-opt-sequence-number":1599,"x-opt-offset":"3642132344","x-opt-enqueued-time":1714422318556}
{"body":"2024-04-24T12:46:29.292880 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.634829 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n2024-04-24T12:46:34.651499 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.653643 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n2024-04-24T12:46:34.662636 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.712475 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:34.723543 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n2024-04-24T12:46:36.403615 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n","x-opt-sequence-number-epoch":-1,"x-opt-sequence-number":156626,"x-opt-offset":"3560527888816","x-opt-enqueued-time":1713962799368}
{"body":"2024-04-24T01:04:30.375693 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Failed: Anonymous\n2024-04-24T01:04:35.034067 HTTPS REST-API 10.10.11.11:2132 XXX-XXX-XXX Logon Success: blah-blah-blah\n","x-opt-sequence-number-epoch":-1,"x-opt-sequence-number":156,"x-opt-offset":"355193796","x-opt-enqueued-time":171392067}

 

 

I have pasted my raw log samples in the above space. Can someone please help me to break these into multiple evnts using props.conf

I wish to break the lines before each timestamp (highlighted).

 

Thanks,

Ranjitha

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ugh. That's bad. While @richgalloway 's solution should work (you can try to be even more explicit with more precise definition of the timestamp format for linebreaking you'll be getting some ugly trailers to some of your events. Also since these are contents of a json field, some characters will most probably be escaped.

It would be best if you managed to:

1) Work with the source side so that you get your event in a more reasonable way (without all this json overhead) - preferred option

2) If you can't do that, use a pre-processing step in form of an external script/tool/whatever which will "unpack" those jsons and just leave you with raw data.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try 

LINE_BREAKER = ()\d{4}-\d\d
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...