- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Linebreak
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Linebreak
Hello Guys,
Below is my initial event and i want to break each from the staring of this event. As i tried various attributes in props.conf but no luck to break the event from this line.
I used as of now:
LINE_BREAKER = ^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s\d{14}
TIME_PREFIX = ^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s
TIME_FORMAT= %Y%m%d%H%M%S
**********************
Windows PowerShell transcript start
Start time: 20210223060505
Please suggest me what i did wrong in above props.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti They suggested, use the add-on which they created and i am able to use Add-on directly in my environment. Is there any other approach to break the lines .
SHOULD_LINEMERGE=false
LINE_BREAKER=^[*]+\n[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\nStart\stime\:\s\d{14}
CHARSET=UTF-8
TIME_FORMAT=%Y%m%d%H%M%S
Still it is not breaking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @uagraw01,
The regex configured forLINE_BREAKER must contain a capturing group. Also, set SHOULD_LINEMERGE to false. Restart forwarder once you add these configurations in props.conf.
LINE_BREAKER = (\*{22}\n)
TIME_PREFIX = \Start\stime\:\s
TIME_FORMAT= %Y%m%d%H%M%S
SHOULD_LINEMERGE = false
If this reply helps you, a like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti It is still not breaking from the second event start from
*********************
Windows PowerShell transcript start
Start time:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
LINE_BREAKER = (\*{22}\n\w+\s\w+\s\w+\sstart\n)Note that this will not add the below lines to your events:
*********************
Windows PowerShell transcript start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti Below are my raw data
Windows PowerShell transcript end
End time: 20210223060514
**********************
**********************
Windows PowerShell transcript start
Start time: 20210209051406
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an app developed to consume Windows PowerShell transcript logs:
Check this:
https://github.com/HurricaneLabs/TA-powershell_transcript
It is also there in Splunk base: https://splunkbase.splunk.com/app/4984/#/details
If this reply helps you, a like would be appreciated.
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
