Splunk Search

Line breaks and regex help

j666gak
Communicator

Hello,

I am having issues when Splunk is reading an XML file. I need Splunk to know that a transaction starts with and finishes with , instead of line breaks all over the place.

I'm not sure what the regex I need for this is? and would I need to add it to props.conf or transforms.conf or something else?

  <diary_entry>
  <id>560494</id>
  <entry_time>2011-08-25 12:36:00 UTC</entry_time>
  <blood_glucose>15.4</blood_glucose>
  <carbohydrate_portions>5</carbohydrate_portions>
  <quick_insulin>3</quick_insulin>
  <background_insulin></background_insulin>
  <ratio>1:1</ratio>
  <entry_type>CORR</entry_type>
  <target_min_bg>4.5</target_min_bg>
  <target_max_bg>7.5</target_max_bg>
  <ketones></ketones>
  <comments></comments>
  <injection_site>Stomach</injection_site>
  <updated_at>2011-08-25 22:44:02 UTC</updated_at>
</diary_entry>
Tags (2)
0 Karma
1 Solution

Ayn
Legend

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

View solution in original post

Ayn
Legend

You need to add it as a LINE_BREAKER directive in props.conf. Like this:

[yoursourcetype]
LINE_BREAKER = ([\r\n]+)<diary_entry>

kristian_kolb
Ultra Champion

Already indexed data will not be altered by this operation. Any new data coming in should be broken into separate event according to your config.

0 Karma

j666gak
Communicator

I have edited the props.conf and restarted the Splunk server but nothing has changed. Does the data need to be re-indexed?

0 Karma

j666gak
Communicator

just trying it now and testing

Thanks

0 Karma

kristian_kolb
Ultra Champion

and don't forget to also set

SHOULD_LINEMERGE=false
TIME_PREFIX=

note that the latter may not be required if your timestamps are parsed correctly without it.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...