Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Break into multiple events by time

rbonetti
Engager
‎01-05-2012 01:36 AM

Hi all,

I would like to break a line in multiple events in my log files, you can see the break condition in bold:

[10:27:21.937] DEBUG [RequestStatusTask] [c.s.t.p.a.c.d.p.PrinterWrapper] [onSequenceStatusChanged:758] printer 1 :Sequence State : READY / READY [10:27:22.500] DEBUG [AskCodeTask] [c.s.t.p.a.c.d.p.PrinterWrapper] [onPrinterBufferChanged:743] printer 1 :onPrinterBufferChanged, buffer status: LOW

Here is my props.conf, but it's not working:

[client_log]
BREAK_ONLY_BEFORE = [\d\d:\d\d:\d\d.\d\d\d]

Thanks for your help

Tags (1)
Reply

Ayn
Legend
‎01-05-2012 02:02 AM

Two things:

First, the BREAK_ONLY_BEFORE directive is used in the line merging process - that is, given a number of lines, it tells (optionally in conjunction with other parameters) how Splunk should merge these lines into one event. So, the definition of what a line IS happens earlier, using the LINE_BREAKER directive. Your log looks a bit odd to me in that the events aren't broken up into individual lines already. Before starting to mess with LINE_BREAKER you might want to investigate if the log itself can't be changed to actually separate events properly into individual lines.

Second, the [ and ] characters are special characters in regular expressions, so whatever regex you end up with will need to escape those.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...