Splunk Search

Breaking multiline events

patrickw
Explorer

I'm trying to break a log which has the following pattern:

05/13/2010 14:31:35 [1498270105]    Processing Request on socket 504D8CE8
[bunch of fields]
05/13/2010 14:31:35 [1498449374]    Done with Request on socket 504D8CE8
05/13/2010 14:31:41 [1504230205]    Processing Request on socket 56EF8CC8
[bunch of fields]
05/13/2010 14:31:41 [1504680832]    Done with Request on socket 56EF8CC8

I spent a while yesterday trying various combinations of the line-breaking arguments in props.conf but couldn't work out how to break it exactly so that the "Processing" line is first and the "Done with Request" line is at the end, and everything is in one event.

Can anyone suggest what I should be using to break the file into events? I tried LINEBREAKER=(^(.)with Request(.)$), BREAK_BEFORE, and other rules but couldn't get it to neatly break each event separately.

Part of the problem, maybe, is that I don't understand how and when changes to props.conf take effect. If I add a line breaker rule to props.conf, will those changes appear when I do a search, or does Splunk need to reprocess the entire file? How can I best test the effect that changes to props.conf have to events?

Alternately, is it possible to create a transaction based on Time and SocketID, which includes everything BETWEEN "Processing Request" and "Done with Request" lines as part of the transaction?

1 Solution

Lowell
Super Champion

Event breaking all happens at indexing time. Therefore your changes will only take effect on newly loaded events.

You may be better off breaking each event based on the date and the using the transaction search command to recombine the events at search time. I'm assuming that in your example 504D8CE8 is a field value that would be a unique value to connect your events.

There are some similar questions on this site that you may find helpful.


I would start with something like in props.conf:

[my_source_type]
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:S
BREAK_ONLY_BEFORE_DATE = TRUE
EXTRACT-socket = socket (?<SocketID>[0-9A-F]+)

Then do you searching like:

sourcetype=my_source_type ... | transaction fields=SocketID

If you wanted to get more fancy with transactions, you may find this even more helpful: (but you will want to read up on the command and play around with it to see what works best)

sourcetype=my_source_type ... | transaction fields="host,SocketID" startswith=("Processing Request") endswith=("Done with Request") maxspan=2h

See where that gets you.

View solution in original post

Lowell
Super Champion

Event breaking all happens at indexing time. Therefore your changes will only take effect on newly loaded events.

You may be better off breaking each event based on the date and the using the transaction search command to recombine the events at search time. I'm assuming that in your example 504D8CE8 is a field value that would be a unique value to connect your events.

There are some similar questions on this site that you may find helpful.


I would start with something like in props.conf:

[my_source_type]
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:S
BREAK_ONLY_BEFORE_DATE = TRUE
EXTRACT-socket = socket (?<SocketID>[0-9A-F]+)

Then do you searching like:

sourcetype=my_source_type ... | transaction fields=SocketID

If you wanted to get more fancy with transactions, you may find this even more helpful: (but you will want to read up on the command and play around with it to see what works best)

sourcetype=my_source_type ... | transaction fields="host,SocketID" startswith=("Processing Request") endswith=("Done with Request") maxspan=2h

See where that gets you.

patrickw
Explorer

Thanks - the startswith/endswith seems like it could do the trick. I'll try that.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...