Line breaking with custom regex

Simon · ‎07-09-2013

Hi All

I've got a very bad csv to index, which is basically a csv with 63 columns and tildes as separators, because field contents may include any characters except tildes... However... Line breaking is very difficult since the only hint for a new event is the 63th occurence of a tilde... I've got a regex to match one single event:

((([^\~]*?)\~){63})

Any idea how I can transform into a LINE_BREAKER regex? Using this regex will put the content in the first csv column into an event without the 62 other csv columns.

Thanks
Simon

bmacias84 · ‎07-09-2013

If your data is truely a csv and there is a timestamp just set SHOULD_LINEMERGE=false which should break on each new line. Also with an event as wide as yours you may need to increase your TRUNCATE= to accomidate the event length. Posting a scrubed event might help too.

Simon · ‎08-05-2013

Thanks for your answer. Unfortunately it isn't a true csv. It's a kind of csv with {-} as delimiter and the field contents may have multiliners.

In the mean time I got a solution by myself:

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ((([^{]*?){~}){63})

Which breaks after the 63th occurence of {-} and respects empty values.

Line breaking with custom regex

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

Line breaking with custom regex

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor