- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Event break regex - match 19 digit number
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Happy New Year everyone!
Regex n00b here - I am struggling to break events for a particular source. Any help would be appreciated.
The line to break events is in the following format
"From <19 digit numeric string>@<misc alpha numeric string of varying length> <timestamp>"
For example:
From 1489304828131889971@xxx Sat Jan 03 07:02:43 2015
From 1489220782115942636@82hs Fri Jan 02 08:46:51 2015
I want to specify an event break in props.conf with "From <19 digit numeric string>@".
Can anyone help?
-dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi himynamesdave,
try something like this as line breaker regex :
From\s.+?@
based on the assumption I understood you correct and you want everything after the @ as new line 😉
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the LINE_BREAKER to work there needs to be a capture group.
You should specify the following in props.conf
props.conf
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ([\r\n]+)From\s\d+@
That will break where there is a carriage return or new line, followed by From 'space' any number of digits and an @ symbol.
See how you go.
(It is always preferable to delimit multi-line events with LINE_BREAKER as it has significant benefits to processing speed)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you want to break the events "From <19digits>@", here is props.conf for the same.
I have used \d{19} to match the exact 19 digits as you mentioned.
props.conf
[< your sourcetype OR source or host >]
BREAK_ONLY_BEFORE=From\s+\d{19}@
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
please let me know if the above props.conf worked for you..
regex query tried to match the correct pattern is https://regex101.com/r/kD3tZ1/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will not work on any event NOT containing exactly (meaning more/less) 19 digits...
Always build things so you can [remember what they mean|work], two years from now 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I knew it. It depends on whether strict or loose pattern matching required. That why I said, based on 19 digit pattern as per the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi himynamesdave,
try something like this as line breaker regex :
From\s.+?@
based on the assumption I understood you correct and you want everything after the @ as new line 😉
cheers, MuS
Thanks for the Memories! Splunk University, .conf24, and Community Connections
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
