Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to regex events with "==========================" as event breaker?

kiran331
Builder
‎10-20-2017 07:44 AM

How to break the events with using regex with "==========================" as event breaker?

event:

PS C:\tetst\tethttb>
"ERROR: Parameter ""-ComputerName"" requires an argument."

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

"ERROR: fd""-fgrgf"" requires an vcv."
Copyright (C) 2013 Microsoft gfg. All rights reserved.

BitLocker Drive Encryption: rTool version 10.0.rtret

"If the ""-cn"" parameter was specified, check that the computer name is correct."
interface.
ERROR: An error occurred while connecting to the BitLocker management
Computer Name: rtffggh
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

BitLocker Drive Encryption: Configuration Tool version 10.0.15063

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎10-20-2017 09:52 AM

[your_sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (^=+$)
DATETIME_CONFIG = none

This is the more efficient approach because it doesnt require the line merging processor and also instructs splunk to not try to parse a timestamp (which there are none in your sample data). Please note the = signs will be removed from the data too, effectively reducing license spend.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎10-20-2017 09:52 AM

[your_sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = (^=+$)
DATETIME_CONFIG = none

This is the more efficient approach because it doesnt require the line merging processor and also instructs splunk to not try to parse a timestamp (which there are none in your sample data). Please note the = signs will be removed from the data too, effectively reducing license spend.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2017 07:55 AM

Hi kiran331,
in props.conf put

[your_sourcetype]
BREAK_ONLY_BEFORE = \={5,100}

Bye.
Giuseppe

Reply
Solved! Jump to solution

landen99
Motivator
‎10-20-2017 08:30 AM

And: SHOULD_LINEMERGE = true. And unless more than 100 "=" is a deal breaker, you might as well just let it stop at 5:

[your_sourcetype]
BREAK_ONLY_BEFORE = \={5}
SHOULD_LINEMERGE = true
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-20-2017 10:11 AM

@cusello, @landen99 - how does that map in the case that there might be some comment somewhere that happened to have ===== in the middle of a line?

Would you use ^={5,}, or is ^ not meaningful as start of line in BREAK_ONLY_BEFORE?

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎10-20-2017 09:20 PM

jcat54's answer is much better. I learned something big from that answer; wish I had understood that a while ago. Also, you are correct that any comment with an equals sign in it 5 times would initiate an event break right before that line. I neglected the "^" because I suspected that some events might have space characters before the "=". I neglected matching more than 5 because once a match of 5 was complete, the rest didn't matter.

Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...