Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Props.conf configuration not working as expected
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Props.conf configuration not working as expected
Hi team,
I am not getting the event break at required. my requirement is to break event from log file which start with "Importer:" and end with "Elapsed Time:" below is config i did. Please suggest if any change in props config or I am good to go.
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\S+\s\S+\s\W+
MAX_TIMESTAMP_LOOKAHEAD=-1
TIME_PREFIX=^\*Importer:\s+
TIME_FORMAT=%m/%d/%Y %I:%M:%S %p
EVENT_BREAKER = ([\n\r]*Elapsed Time:\.)
EVENT_BREAKER_ENABLE = true
KV_MODE=nonesample log:
Importer: DealerLoansImporter Started : 6/6/2024 4:10:16 AM
Begin Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\GC01RD21.DLR_LOAN_20240605223729.DAT : 6/6/2024 4:10:16 AM
End Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\GC01RD21.DLR_LOAN_20240605223729.DAT : 6/6/2024 4:10:16 AM
Beginning Dealer Loans truncate table : 6/6/2024 4:10:16 AM
Completed Dealer Loans truncate table : 6/6/2024 4:10:16 AM
Begin Loading Database : 6/6/2024 4:10:16 AM
1757 Total Records Inserted : 6/6/2024 4:10:17 AM
Beginning RefreshDealerLoansMonthEnd : 6/6/2024 4:10:17 AM
Completed RefreshDealerLoansMonthEnd : 6/6/2024 4:10:18 AM
Beginning RefreshDealerLoan : 6/6/2024 4:10:18 AM
Completed RefreshDealerLoan : 6/6/2024 4:10:21 AM
Beginning Adv_RefreshProposalCreditLineSummaryFromDealerLoan : 6/6/2024 4:10:21 AM
Completed Adv_RefreshProposalCreditLineSummaryFromDealerLoan : 6/6/2024 4:10:22 AM
Beginning RefreshBorrowerLoanForDefault : 6/6/2024 4:10:22 AM
Completed RefreshBorrowerLoanForDefault : 6/6/2024 4:10:22 AM
Beginning RefreshBorrowerLoanForDCVR : 6/6/2024 4:10:22 AM
Completed RefreshBorrowerLoanForDCVR : 6/6/2024 4:10:23 AM
Importer: DealerLoansImporter Ended : 6/6/2024 4:10:24 AM
Importer: DealerLoansImporter Elapsed Time: 00:00:07.4098788
****************************************************************************************************
****************************************************************************************************
Importer: AdvantageDimensionImporter Started : 6/6/2024 4:10:24 AM
Begin Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\ADV_DIM_20240606030006.DAT : 6/6/2024 4:10:24 AM
End Reading Data File: \\nao.global.gmacfs.com\AllyApps\Ipartners.Pd\Facts_to_Carrs\ADV_DIM_20240606030006.DAT : 6/6/2024 4:10:24 AM
Beginning AdvantageDimension truncate table : 6/6/2024 4:10:24 AM
Completed AdvantageDimension truncate table : 6/6/2024 4:10:24 AM
Begin Loading Database : 6/6/2024 4:10:24 AM
411 Total Records Inserted : 6/6/2024 4:10:24 AM
Beginning refreshing Dimensions : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshFranchiseFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshFranchiseFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshDealerCommercialPrivilegesTypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshDealerCommercialPrivilegesTypeFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshBACManufacturerType : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshBACManufacturerType : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshStateFromDimensions : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshStateFromDimensions : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshFormOfBusinessTypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshFormOfBusinessTypeFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshTAATypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshTAATypeFromDimension : 6/6/2024 4:10:24 AM
Beginning Refreshing Adv_RefreshGuarantorAssociationTypeFromDimension : 6/6/2024 4:10:24 AM
Completed Refreshing Adv_RefreshGuarantorAssociationTypeFromDimension : 6/6/2024 4:10:24 AM
Beginning FetchNewDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Completed FetchNewDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Beginning FetchDeletedDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Completed FetchDeletedDealerStatusAdvantage : 6/6/2024 4:10:24 AM
Beginning FetchDealerStatusAdvantageChanges : 6/6/2024 4:10:24 AM
Completed FetchDealerStatusAdvantageChanges : 6/6/2024 4:10:25 AM
Completed refreshing Dimensions : 6/6/2024 4:10:25 AM
Importer: AdvantageDimensionImporter Ended : 6/6/2024 4:10:25 AM
Importer: AdvantageDimensionImporter Elapsed Time: 00:00:00.9732853
****************************************************************************************************
****************************************************************************************************
Importer: SmartAuctionImporter Started : 6/6/2024 4:10:25 AM
Importer: SmartAuctionImporter Ended : 6/6/2024 4:10:25 AM
Importer: SmartAuctionImporter Elapsed Time: 00:00:00.0312581
****************************************************************************************************
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since multiple lines with the event start with "Importer", we can't use that to break the event. I suggest breaking after "Elapsed Time". Try these settings
SHOULD_LINEMERGE = false
LINE_BREAKER = Elapsed Time:\d+\/\d+\/\d+ \d+:\d+:\d+ \w\w([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 23
TIME_PREFIX = Started:\s+
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p
EVENT_BREAKER = Elapsed Time:\d+\/\d+\/\d+ \d+:\d+:\d+ \w\w([\r\n]+)
EVENT_BREAKER_ENABLE = true
KV_MODE = noneIf this reply helps you, Karma would be appreciated.
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
