I'm trying to break a log which has the following pattern:
05/13/2010 14:31:35 [1498270105] Processing Request on socket 504D8CE8
[bunch of fields]
05/13/2010 14:31:35 [1498449374] Done with Request on socket 504D8CE8
05/13/2010 14:31:41 [1504230205] Processing Request on socket 56EF8CC8
[bunch of fields]
05/13/2010 14:31:41 [1504680832] Done with Request on socket 56EF8CC8
I spent a while yesterday trying various combinations of the line-breaking arguments in props.conf but couldn't work out how to break it exactly so that the "Processing" line is first and the "Done with Request" line is at the end, and everything is in one event.
Can anyone suggest what I should be using to break the file into events? I tried LINEBREAKER=(^(.)with Request(.)$), BREAK_BEFORE, and other rules but couldn't get it to neatly break each event separately.
Part of the problem, maybe, is that I don't understand how and when changes to props.conf take effect. If I add a line breaker rule to props.conf, will those changes appear when I do a search, or does Splunk need to reprocess the entire file? How can I best test the effect that changes to props.conf have to events?
Alternately, is it possible to create a transaction based on Time and SocketID, which includes everything BETWEEN "Processing Request" and "Done with Request" lines as part of the transaction?
Event breaking all happens at indexing time. Therefore your changes will only take effect on newly loaded events.
You may be better off breaking each event based on the date and the using the transaction
search command to recombine the events at search time. I'm assuming that in your example 504D8CE8
is a field value that would be a unique value to connect your events.
There are some similar questions on this site that you may find helpful.
I would start with something like in props.conf
:
[my_source_type]
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:S
BREAK_ONLY_BEFORE_DATE = TRUE
EXTRACT-socket = socket (?<SocketID>[0-9A-F]+)
Then do you searching like:
sourcetype=my_source_type ... | transaction fields=SocketID
If you wanted to get more fancy with transactions, you may find this even more helpful: (but you will want to read up on the command and play around with it to see what works best)
sourcetype=my_source_type ... | transaction fields="host,SocketID" startswith=("Processing Request") endswith=("Done with Request") maxspan=2h
See where that gets you.
Event breaking all happens at indexing time. Therefore your changes will only take effect on newly loaded events.
You may be better off breaking each event based on the date and the using the transaction
search command to recombine the events at search time. I'm assuming that in your example 504D8CE8
is a field value that would be a unique value to connect your events.
There are some similar questions on this site that you may find helpful.
I would start with something like in props.conf
:
[my_source_type]
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:S
BREAK_ONLY_BEFORE_DATE = TRUE
EXTRACT-socket = socket (?<SocketID>[0-9A-F]+)
Then do you searching like:
sourcetype=my_source_type ... | transaction fields=SocketID
If you wanted to get more fancy with transactions, you may find this even more helpful: (but you will want to read up on the command and play around with it to see what works best)
sourcetype=my_source_type ... | transaction fields="host,SocketID" startswith=("Processing Request") endswith=("Done with Request") maxspan=2h
See where that gets you.
Thanks - the startswith/endswith seems like it could do the trick. I'll try that.