- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Break into multiple events by time
Hi all,
I would like to break a line in multiple events in my log files, you can see the break condition in bold:
[10:27:21.937] DEBUG [RequestStatusTask] [c.s.t.p.a.c.d.p.PrinterWrapper] [onSequenceStatusChanged:758] printer 1 :Sequence State : READY / READY [10:27:22.500] DEBUG [AskCodeTask] [c.s.t.p.a.c.d.p.PrinterWrapper] [onPrinterBufferChanged:743] printer 1 :onPrinterBufferChanged, buffer status: LOW
Here is my props.conf, but it's not working:
[client_log]
BREAK_ONLY_BEFORE = [\d\d:\d\d:\d\d.\d\d\d]
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
First, the BREAK_ONLY_BEFORE directive is used in the line merging process - that is, given a number of lines, it tells (optionally in conjunction with other parameters) how Splunk should merge these lines into one event. So, the definition of what a line IS happens earlier, using the LINE_BREAKER directive. Your log looks a bit odd to me in that the events aren't broken up into individual lines already. Before starting to mess with LINE_BREAKER you might want to investigate if the log itself can't be changed to actually separate events properly into individual lines.
Second, the [ and ] characters are special characters in regular expressions, so whatever regex you end up with will need to escape those.
