Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Linebreak
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Linebreak
Hello Guys,
Below is my initial event and i want to break each from the staring of this event. As i tried various attributes in props.conf but no luck to break the event from this line.
I used as of now:
LINE_BREAKER = ^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s\d{14}
TIME_PREFIX = ^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s
TIME_FORMAT= %Y%m%d%H%M%S
**********************
Windows PowerShell transcript start
Start time: 20210223060505
Please suggest me what i did wrong in above props.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti They suggested, use the add-on which they created and i am able to use Add-on directly in my environment. Is there any other approach to break the lines .
SHOULD_LINEMERGE=false
LINE_BREAKER=^[*]+\n[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\nStart\stime\:\s\d{14}
CHARSET=UTF-8
TIME_FORMAT=%Y%m%d%H%M%S
Still it is not breaking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @uagraw01,
The regex configured forLINE_BREAKER must contain a capturing group. Also, set SHOULD_LINEMERGE to false. Restart forwarder once you add these configurations in props.conf.
LINE_BREAKER = (\*{22}\n)
TIME_PREFIX = \Start\stime\:\s
TIME_FORMAT= %Y%m%d%H%M%S
SHOULD_LINEMERGE = false
If this reply helps you, a like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti It is still not breaking from the second event start from
*********************
Windows PowerShell transcript start
Start time:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
LINE_BREAKER = (\*{22}\n\w+\s\w+\s\w+\sstart\n)Note that this will not add the below lines to your events:
*********************
Windows PowerShell transcript start
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti Below are my raw data
Windows PowerShell transcript end
End time: 20210223060514
**********************
**********************
Windows PowerShell transcript start
Start time: 20210209051406
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an app developed to consume Windows PowerShell transcript logs:
Check this:
https://github.com/HurricaneLabs/TA-powershell_transcript
It is also there in Splunk base: https://splunkbase.splunk.com/app/4984/#/details
If this reply helps you, a like would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
