Having mixed results with this issue?
I have trap messages being written to a txt file which then gets pushed to my indexer via a universal forwarder and I also have line breaks setup in props.conf. The trap message then appears in full as a multi-line event.
This is the line break config for the trap message:
[imsva_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d{2}\/\d{2}\/2\d{3}\s\d{1,2}:\d{2}\s(A|P)M
BREAK_ONLY_BEFORE_DATE = false
Unsure if the above config is best for trap messages but it seems to work.
Pic of traps as they come into splunk: imgur.com/RcmA93R)
I then use the IFX tool to extract specific lines from the trap message, however this sometimes works and sometimes breaks?
When it works it successfully extracts the results of 1 line.
Pic of a working extraction: imgur.com/E0xtHs3
Other times it extracts the line i want but it also extracts the rest of the message so i end up with multiple lines in my extraction.
Pic of a non working extraction: imgur.com/EKdUOFm
I have played about with the rex config in props.conf to stop extracting after the end of line but having no joy with this. What rex can i use that basically says 'stop' after the end of line and do not continue with any more extraction.
This is the rex config generated from IFX:
EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)
Cheers for any help.
*apologies for the pics but dont have enough karma points to post inside the question - yeah great eh and i am paying big bucks for splunk support?
Give this a try
EXTRACT-imsva_log_type = (?i) .*?: (?P<imsva_log_type>[a-z]+)[(\r\n)+]*
EXTRACT-imsva_trapoid = (?im)^(?:[^:\n]*:){2}\w+\.\d+\.\d+\s+(?P<imsva_trapoid>.+)[(\r\n)+]*
Thanks somesoni2 but im afraid i still have the same results: it appends the rest of the multiline event onto the end of line.
I tried this on a number of transforms from same sourcetype with same results.