Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Linebreak

uagraw01
Motivator
‎03-30-2021 09:33 PM

Hello Guys,

Below is my initial event and i want to break each from the staring of this event. As i tried various attributes in props.conf but no luck to break the event from this line.

I used as of now:

LINE_BREAKER = ^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s\d{14}

TIME_PREFIX = ^\*{22}\n\w+\s\w+\s\w+\sstart\n\Start\stime\:\s

TIME_FORMAT= %Y%m%d%H%M%S

 

**********************

Windows PowerShell transcript start

Start time: 20210223060505

 

Please suggest me what i did wrong in above props.

0 Karma
Reply

uagraw01
Motivator
‎04-05-2021 02:49 AM

@manjunathmeti They suggested, use the add-on which they created and i am able to use Add-on directly in my environment. Is there any other approach to break the lines .

 

SHOULD_LINEMERGE=false
LINE_BREAKER=^[*]+\n[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\s[A-Za-z]+\nStart\stime\:\s\d{14}
CHARSET=UTF-8
TIME_FORMAT=%Y%m%d%H%M%S

 

Still it is not breaking

0 Karma
Reply

manjunathmeti
Champion
‎03-30-2021 10:56 PM

hi @uagraw01,

The regex configured forLINE_BREAKER must contain a capturing group. Also, set SHOULD_LINEMERGE to false. Restart forwarder once you add these configurations in props.conf.

LINE_BREAKER = (\*{22}\n)
TIME_PREFIX = \Start\stime\:\s
TIME_FORMAT= %Y%m%d%H%M%S
SHOULD_LINEMERGE = false

  

If this reply helps you, a like would be appreciated.

0 Karma
Reply

uagraw01
Motivator
‎03-30-2021 11:14 PM

@manjunathmeti It is still not breaking from the second event start from

 

*********************
Windows PowerShell transcript start
Start time:

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-30-2021 11:32 PM

Try this:

LINE_BREAKER = (\*{22}\n\w+\s\w+\s\w+\sstart\n)

Note that this will not add the below lines to your events:
*********************
Windows PowerShell transcript start 

0 Karma
Reply

uagraw01
Motivator
‎03-31-2021 01:31 AM

@manjunathmeti No luck for this as well

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-31-2021 01:34 AM

Can you post some raw data?

Tags (1)
0 Karma
Reply

uagraw01
Motivator
‎03-31-2021 01:48 AM

@manjunathmeti Below are my raw data

 

Windows PowerShell transcript end
End time: 20210223060514
**********************

**********************
Windows PowerShell transcript start
Start time: 20210209051406

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-31-2021 02:11 AM

There is an app developed to consume Windows PowerShell transcript logs:
Check this:
https://github.com/HurricaneLabs/TA-powershell_transcript

It is also there in Splunk base: https://splunkbase.splunk.com/app/4984/#/details

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...