Splunk Search

Breaking multiline events

patrickw
Explorer

I'm trying to break a log which has the following pattern:

05/13/2010 14:31:35 [1498270105]    Processing Request on socket 504D8CE8
[bunch of fields]
05/13/2010 14:31:35 [1498449374]    Done with Request on socket 504D8CE8
05/13/2010 14:31:41 [1504230205]    Processing Request on socket 56EF8CC8
[bunch of fields]
05/13/2010 14:31:41 [1504680832]    Done with Request on socket 56EF8CC8

I spent a while yesterday trying various combinations of the line-breaking arguments in props.conf but couldn't work out how to break it exactly so that the "Processing" line is first and the "Done with Request" line is at the end, and everything is in one event.

Can anyone suggest what I should be using to break the file into events? I tried LINEBREAKER=(^(.)with Request(.)$), BREAK_BEFORE, and other rules but couldn't get it to neatly break each event separately.

Part of the problem, maybe, is that I don't understand how and when changes to props.conf take effect. If I add a line breaker rule to props.conf, will those changes appear when I do a search, or does Splunk need to reprocess the entire file? How can I best test the effect that changes to props.conf have to events?

Alternately, is it possible to create a transaction based on Time and SocketID, which includes everything BETWEEN "Processing Request" and "Done with Request" lines as part of the transaction?

1 Solution

Lowell
Super Champion

Event breaking all happens at indexing time. Therefore your changes will only take effect on newly loaded events.

You may be better off breaking each event based on the date and the using the transaction search command to recombine the events at search time. I'm assuming that in your example 504D8CE8 is a field value that would be a unique value to connect your events.

There are some similar questions on this site that you may find helpful.


I would start with something like in props.conf:

[my_source_type]
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:S
BREAK_ONLY_BEFORE_DATE = TRUE
EXTRACT-socket = socket (?<SocketID>[0-9A-F]+)

Then do you searching like:

sourcetype=my_source_type ... | transaction fields=SocketID

If you wanted to get more fancy with transactions, you may find this even more helpful: (but you will want to read up on the command and play around with it to see what works best)

sourcetype=my_source_type ... | transaction fields="host,SocketID" startswith=("Processing Request") endswith=("Done with Request") maxspan=2h

See where that gets you.

View solution in original post

Lowell
Super Champion

Event breaking all happens at indexing time. Therefore your changes will only take effect on newly loaded events.

You may be better off breaking each event based on the date and the using the transaction search command to recombine the events at search time. I'm assuming that in your example 504D8CE8 is a field value that would be a unique value to connect your events.

There are some similar questions on this site that you may find helpful.


I would start with something like in props.conf:

[my_source_type]
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:S
BREAK_ONLY_BEFORE_DATE = TRUE
EXTRACT-socket = socket (?<SocketID>[0-9A-F]+)

Then do you searching like:

sourcetype=my_source_type ... | transaction fields=SocketID

If you wanted to get more fancy with transactions, you may find this even more helpful: (but you will want to read up on the command and play around with it to see what works best)

sourcetype=my_source_type ... | transaction fields="host,SocketID" startswith=("Processing Request") endswith=("Done with Request") maxspan=2h

See where that gets you.

patrickw
Explorer

Thanks - the startswith/endswith seems like it could do the trick. I'll try that.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...