Solved: Re: How do you use regex to parse the following te...

dbashyam · ‎02-08-2019

Hi,

I have the following text to parse. I want to break when I encounter the **** date ***. I tried the following, but I am not able to parse it correctly. Could you please help?

BREAK_ONLY_BEFORE=(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})
MAX_TIMESTAMP_LOOKAHEAD=30
SHOULD_LINEMERGE=true
TRUNCATE=10
disabled=false
TIME_FORMAT=(%b %d %H:%M:%S)
TIME_PREFIX=^.*

*************
Feb 07 06:10:34 : STEP 4
*************

+ [ ]
+ send_emails
+ send_success_email
+ print '\n**********\nMon Jan 14 08:01:10 GMT 2019 : job 
+ List item
0\n**********\n'

*************
Feb 08 06:10:34 : job 
*************

+ [[ -e /junk.chk ]]
+ [[ 0 -eq 0 ]]
+ rm -f /junk.chk
+ exec
+ 1>& 3 2>& 3
+ print '\n**********\nMon Jan 14 09:01:10 GMT 2019 : job 
+ List item
0\n**********\n'

woodcock · ‎02-08-2019

Try this (and ONLY this):

LINE_BREAKER=([\r\n\s]+\*+[\r\n\s]+)
SHOULD_LINEMERGE=false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=15

View solution in original post

woodcock · ‎02-08-2019

Try this (and ONLY this):

LINE_BREAKER=([\r\n\s]+\*+[\r\n\s]+)
SHOULD_LINEMERGE=false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=15

dbashyam · ‎02-10-2019

thank you @woodcock

damann · ‎02-08-2019

I tried to ingest your data.
When i removed your Truncate=10 option and added the "\s:" to BREAK_ONLY_BEFORE i get 3 events.

BREAK_ONLY_BEFORE=(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s:)

Maybe it helps for you?

How do you use regex to parse the following text?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms