Props.conf configuration not working as expected

pratrox · ‎06-20-2024

Hi team,

I am not getting the event break at required. my requirement is to break event from log file which start with "Importer:" and end with "Elapsed Time:" below is config i did. Please suggest if any change in props config or I am good to go.

SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\S+\s\S+\s\W+
MAX_TIMESTAMP_LOOKAHEAD=-1
TIME_PREFIX=^\*Importer:\s+
TIME_FORMAT=%m/%d/%Y %I:%M:%S %p
EVENT_BREAKER = ([\n\r]*Elapsed Time:\.)
EVENT_BREAKER_ENABLE = true
KV_MODE=none

sample log:

Importer: DealerLoansImporter Started : 6/6/2024 4:10:16 AM

Begin Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\GC01RD21.DLR_LOAN_20240605223729.DAT : 6/6/2024 4:10:16 AM
End Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\GC01RD21.DLR_LOAN_20240605223729.DAT : 6/6/2024 4:10:16 AM
Beginning Dealer Loans truncate table : 6/6/2024 4:10:16 AM
Completed Dealer Loans truncate table : 6/6/2024 4:10:16 AM
Begin Loading Database : 6/6/2024 4:10:16 AM
1757 Total Records Inserted : 6/6/2024 4:10:17 AM
Beginning RefreshDealerLoansMonthEnd : 6/6/2024 4:10:17 AM
Completed RefreshDealerLoansMonthEnd : 6/6/2024 4:10:18 AM
Beginning RefreshDealerLoan : 6/6/2024 4:10:18 AM
Completed RefreshDealerLoan : 6/6/2024 4:10:21 AM
Beginning Adv_RefreshProposalCreditLineSummaryFromDealerLoan : 6/6/2024 4:10:21 AM
Completed Adv_RefreshProposalCreditLineSummaryFromDealerLoan : 6/6/2024 4:10:22 AM
Beginning RefreshBorrowerLoanForDefault : 6/6/2024 4:10:22 AM
Completed RefreshBorrowerLoanForDefault : 6/6/2024 4:10:22 AM
Beginning RefreshBorrowerLoanForDCVR : 6/6/2024 4:10:22 AM
Completed RefreshBorrowerLoanForDCVR : 6/6/2024 4:10:23 AM
Importer: DealerLoansImporter Ended : 6/6/2024 4:10:24 AM
Importer: DealerLoansImporter Elapsed Time: 00:00:07.4098788
****************************************************************************************************

****************************************************************************************************
Importer: AdvantageDimensionImporter Started : 6/6/2024 4:10:24 AM

Begin Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\ADV_DIM_20240606030006.DAT : 6/6/2024 4:10:24 AM
End Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\ADV_DIM_20240606030006.DAT : 6/6/2024 4:10:24 AM
Beginning AdvantageDimension truncate table : 6/6/2024 4:10:24 AM
Completed AdvantageDimension truncate table : 6/6/2024 4:10:24 AM
Begin Loading Database : 6/6/2024 4:10:24 AM
411 Total Records Inserted : 6/6/2024 4:10:24 AM
Beginning refreshing Dimensions : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshFranchiseFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshFranchiseFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshDealerCommercialPrivilegesTypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshDealerCommercialPrivilegesTypeFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshBACManufacturerType : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshBACManufacturerType : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshStateFromDimensions : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshStateFromDimensions : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshFormOfBusinessTypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshFormOfBusinessTypeFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshTAATypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshTAATypeFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshGuarantorAssociationTypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshGuarantorAssociationTypeFromDimension : 6/6/2024 4:10:24 AM
Beginning FetchNewDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Completed FetchNewDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Beginning FetchDeletedDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Completed FetchDeletedDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Beginning FetchDealerStatusAdvantageChanges : 6/6/2024 4:10:24 AM
Completed FetchDealerStatusAdvantageChanges : 6/6/2024 4:10:25 AM
Completed refreshing Dimensions : 6/6/2024 4:10:25 AM
Importer: AdvantageDimensionImporter Ended : 6/6/2024 4:10:25 AM
Importer: AdvantageDimensionImporter Elapsed Time: 00:00:00.9732853
****************************************************************************************************

****************************************************************************************************
Importer: SmartAuctionImporter Started : 6/6/2024 4:10:25 AM
Importer: SmartAuctionImporter Ended : 6/6/2024 4:10:25 AM
Importer: SmartAuctionImporter Elapsed Time: 00:00:00.0312581
****************************************************************************************************

richgalloway · ‎06-20-2024

Since multiple lines with the event start with "Importer", we can't use that to break the event. I suggest breaking after "Elapsed Time". Try these settings

SHOULD_LINEMERGE = false
LINE_BREAKER = Elapsed Time:\d+\/\d+\/\d+ \d+:\d+:\d+ \w\w([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 23
TIME_PREFIX = Started:\s+
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p
EVENT_BREAKER = Elapsed Time:\d+\/\d+\/\d+ \d+:\d+:\d+ \w\w([\r\n]+)
EVENT_BREAKER_ENABLE = true
KV_MODE = none

---
If this reply helps you, Karma would be appreciated.

Props.conf configuration not working as expected

configuration

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Props.conf configuration not working as expected

configuration

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases