Happy New Year everyone!
Regex n00b here - I am struggling to break events for a particular source. Any help would be appreciated.
The line to break events is in the following format
"From <19 digit numeric string>@<misc alpha numeric string of varying length> <timestamp>"
For example:
From 1489304828131889971@xxx Sat Jan 03 07:02:43 2015
From 1489220782115942636@82hs Fri Jan 02 08:46:51 2015
I want to specify an event break in props.conf with "From <19 digit numeric string>@".
Can anyone help?
-dave
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi himynamesdave,
try something like this as line breaker regex :
From\s.+?@
based on the assumption I understood you correct and you want everything after the @ as new line 😉
cheers, MuS
 
					
				
		
For the LINE_BREAKER to work there needs to be a capture group.
You should specify the following in props.conf
props.conf
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ([\r\n]+)From\s\d+@
That will break where there is a carriage return or new line, followed by From 'space' any number of digits and an @ symbol.
See how you go.
(It is always preferable to delimit multi-line events with LINE_BREAKER as it has significant benefits to processing speed)
 
					
				
		
Since you want to break the events "From <19digits>@", here is props.conf for the same.
I have used \d{19} to match the exact 19 digits as you mentioned.
props.conf
[< your sourcetype OR source or host >]
BREAK_ONLY_BEFORE=From\s+\d{19}@
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
please let me know if the above props.conf worked for you..
regex query tried to match the correct pattern is https://regex101.com/r/kD3tZ1/1 
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		This will not work on any event NOT containing exactly (meaning more/less) 19 digits...
Always build things so you can [remember what they mean|work], two years from now 😉
 
					
				
		
Yes, I knew it. It depends on whether strict or loose pattern matching required. That why I said, based on 19 digit pattern as per the question.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi himynamesdave,
try something like this as line breaker regex :
From\s.+?@
based on the assumption I understood you correct and you want everything after the @ as new line 😉
cheers, MuS
