Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to break a multiline event with regex on t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to break a multiline event with regex on the condition that the date changes or if there's only one space character after the timestamp?
can_surer
New Member
12-23-2014
01:05 AM
Hi,
I have the following log format,
how can I break that multiline event, with the condition if date changes or only one space character after timestamp.
thanks
14/01/29 08:27:18 Caused by: oracle.core.ojdl.LoggingException: Attempt to write to a closed LogWriter
14/01/29 08:27:18 ... 9 more
14/01/29 08:29:08 Error: will not be bootstrapped since corresponding module declaration was not found in application.xml.
14/01/30 04:01:14 Error: will not be bootstrapped since corresponding module declaration was not found in application.xml.
14/01/30 15:11:57 com.evermind.server.http.HttpIOException: Broken pipe
14/01/30 15:11:57 at com.evermind.server.http.EvermindServletOutputStream.write(EvermindServletOutputStream.java:210)
14/01/30 15:11:57 at com.evermind.server.http.EvermindJSPWriter.writeOut(EvermindJSPWriter.java:576)
14/01/30 15:11:57 at com.evermind.server.http.EvermindJSPWriter.jspflush(EvermindJSPWriter.java:441)
14/01/30 15:11:57 at com.evermind.server.http.EvermindJSPWriter.close(EvermindJSPWriter.java:411)
14/01/30 15:11:57 at oracle.jsp.runtime.OracleJspRuntime.extraHandlePCFinally(OracleJspRuntime.java:1910)
14/01/30 15:11:57 at _OA._jspService(_OA.java:260)
14/01/30 15:11:57 at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
14/01/30 15:11:57 at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:390)
14/01/30 15:11:57 at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:594)
14/01/30 15:11:57 at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:518)
14/01/30 15:11:57 at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:734)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.unprivileged_forward(ServletRequestDispatcher.java:280)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.access$100(ServletRequestDispatcher.java:68)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher$2.oc4jRun(ServletRequestDispatcher.java:214)
14/01/30 15:11:57 at oracle.oc4j.security.OC4JSecurity.doPrivileged(OC4JSecurity.java:284)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.forward(ServletRequestDispatcher.java:219)
14/01/30 15:11:57 at com.evermind.server.http.EvermindPageContext.forward(EvermindPageContext.java:395)
14/01/30 15:11:57 at _RF._jspService(_RF.java:225)
14/01/30 15:11:57 at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:59)
14/01/30 15:11:57 at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:390)
14/01/30 15:11:57 at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:594)
14/01/30 15:11:57 at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:518)
14/01/30 15:11:57 at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
14/01/30 15:11:57 at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
14/01/30 15:11:57 at oracle.apps.jtf.base.session.ReleaseResFilter.doFilter(ReleaseResFilter.java:26)
14/01/30 15:11:57 at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
14/01/30 15:11:57 at oracle.apps.fnd.security.AppsServletFilter.doFilter(AppsServletFilter.java:318)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:642)
14/01/30 15:11:57 at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)
14/01/30 15:11:57 at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:908)
14/01/30 15:11:57 at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)
14/01/30 15:11:57 at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:313)
14/01/30 15:11:57 at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:199)
14/01/30 15:11:57 at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
14/01/30 15:11:57 at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
14/01/30 15:11:57 at java.lang.Thread.run(Thread.java:662)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin_mueller
SplunkTrust
12-25-2014
05:49 AM
This works for me using your sample data:
[sourcetype]
BREAK_ONLY_BEFORE = ^(\d\d\D){6}\S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pedromvieira
Communicator
12-23-2014
06:12 AM
You can configure props.conf
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
Then set the following:
SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single multiline event, based
on the following configuration attributes.
* Defaults to true.
# When SHOULD_LINEMERGE is set to true, use the following attributes to define how Splunk builds
# multiline events.
BREAK_ONLY_BEFORE_DATE = [true|false]
* When set to true, Splunk creates a new event only if it encounters a new line with a date.
* Note, when using DATETIME_CONFIG = CURRENT or NONE, this setting is not meaningful, as
timestamps are not identified.
* Defaults to true.
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can_surer
New Member
12-23-2014
06:44 AM
Actually I have tried the following in the props.conf But it did not work for me.
[roket_sourcetype]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE=\d\d\/\d\d\/\d\d\s\d\d:\d\d:\d\d\s{1}[^\s]+
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
