Solved: How do you use regex to parse the following text?

dbashyam · ‎02-08-2019

Hi,

I have the following text to parse. I want to break when I encounter the **** date ***. I tried the following, but I am not able to parse it correctly. Could you please help?

BREAK_ONLY_BEFORE=(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})
MAX_TIMESTAMP_LOOKAHEAD=30
SHOULD_LINEMERGE=true
TRUNCATE=10
disabled=false
TIME_FORMAT=(%b %d %H:%M:%S)
TIME_PREFIX=^.*

*************
Feb 07 06:10:34 : STEP 4
*************

+ [ ]
+ send_emails
+ send_success_email
+ print '\n**********\nMon Jan 14 08:01:10 GMT 2019 : job 
+ List item
0\n**********\n'

*************
Feb 08 06:10:34 : job 
*************

+ [[ -e /junk.chk ]]
+ [[ 0 -eq 0 ]]
+ rm -f /junk.chk
+ exec
+ 1>& 3 2>& 3
+ print '\n**********\nMon Jan 14 09:01:10 GMT 2019 : job 
+ List item
0\n**********\n'

woodcock · ‎02-08-2019

Try this (and ONLY this):

LINE_BREAKER=([\r\n\s]+\*+[\r\n\s]+)
SHOULD_LINEMERGE=false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=15

View solution in original post

woodcock · ‎02-08-2019

Try this (and ONLY this):

LINE_BREAKER=([\r\n\s]+\*+[\r\n\s]+)
SHOULD_LINEMERGE=false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=15

dbashyam · ‎02-10-2019

thank you @woodcock

damann · ‎02-08-2019

I tried to ingest your data.
When i removed your Truncate=10 option and added the "\s:" to BREAK_ONLY_BEFORE i get 3 events.

BREAK_ONLY_BEFORE=(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s:)

Maybe it helps for you?

How do you use regex to parse the following text?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...