Re: Line breaking with custom regex

Simon · ‎07-09-2013

Hi All

I've got a very bad csv to index, which is basically a csv with 63 columns and tildes as separators, because field contents may include any characters except tildes... However... Line breaking is very difficult since the only hint for a new event is the 63th occurence of a tilde... I've got a regex to match one single event:

((([^\~]*?)\~){63})

Any idea how I can transform into a LINE_BREAKER regex? Using this regex will put the content in the first csv column into an event without the 62 other csv columns.

Thanks
Simon

bmacias84 · ‎07-09-2013

If your data is truely a csv and there is a timestamp just set SHOULD_LINEMERGE=false which should break on each new line. Also with an event as wide as yours you may need to increase your TRUNCATE= to accomidate the event length. Posting a scrubed event might help too.

Simon · ‎08-05-2013

Thanks for your answer. Unfortunately it isn't a true csv. It's a kind of csv with {-} as delimiter and the field contents may have multiliners.

In the mean time I got a solution by myself:

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ((([^{]*?){~}){63})

Which breaks after the 63th occurence of {-} and respects empty values.

Line breaking with custom regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation