Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event break regex - match 19 digit number

himynamesdave
Contributor
‎01-04-2015 06:51 AM

Happy New Year everyone!

Regex n00b here - I am struggling to break events for a particular source. Any help would be appreciated.

The line to break events is in the following format

"From <19 digit numeric string>@<misc alpha numeric string of varying length> <timestamp>"

For example:

From 1489304828131889971@xxx Sat Jan 03 07:02:43 2015

From 1489220782115942636@82hs Fri Jan 02 08:46:51 2015

I want to specify an event break in props.conf with "From <19 digit numeric string>@".

Can anyone help?

-dave

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-04-2015 10:41 AM

Hi himynamesdave,

try something like this as line breaker regex :

From\s.+?@

based on the assumption I understood you correct and you want everything after the @ as new line 😉

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

eddit0r
Explorer
‎01-04-2015 12:54 PM

For the LINE_BREAKER to work there needs to be a capture group.

You should specify the following in props.conf

props.conf
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = ([\r\n]+)From\s\d+@

That will break where there is a carriage return or new line, followed by From 'space' any number of digits and an @ symbol.

See how you go.

(It is always preferable to delimit multi-line events with LINE_BREAKER as it has significant benefits to processing speed)

0 Karma
Reply
Solved! Jump to solution

jayannah
Builder
‎01-04-2015 12:34 PM

Since you want to break the events "From <19digits>@", here is props.conf for the same.
I have used \d{19} to match the exact 19 digits as you mentioned.

props.conf
[< your sourcetype OR source or host >]
BREAK_ONLY_BEFORE=From\s+\d{19}@
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

please let me know if the above props.conf worked for you..
regex query tried to match the correct pattern is https://regex101.com/r/kD3tZ1/1

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-04-2015 12:43 PM

This will not work on any event NOT containing exactly (meaning more/less) 19 digits...
Always build things so you can [remember what they mean|work], two years from now 😉

0 Karma
Reply
Solved! Jump to solution

jayannah
Builder
‎01-04-2015 12:53 PM

Yes, I knew it. It depends on whether strict or loose pattern matching required. That why I said, based on 19 digit pattern as per the question.

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-04-2015 10:41 AM

Hi himynamesdave,

try something like this as line breaker regex :

From\s.+?@

based on the assumption I understood you correct and you want everything after the @ as new line 😉

cheers, MuS

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...