Splunk Search

Need help with a regex for line_breaker in props.conf

mbachhav
Path Finder

Hi,

Need help with regex for LINE_BREAKER attribute in props.conf.

I have the below data and wanted it as a single event in Splunk. Currently, <RESULTS> data splits into multiple events.

I would like to send the entire <DETECTION> tag as a single event. Can someone help me provide the right LINE_BREAKER pattern to be used?

 

<DETECTION>
    <ID>231</ID>
    <TYPE>Information</TYPE>
    <SEVERITY>1</SEVERITY>
    <RESULTS>Line 1 :
 field 1 :  value1
 field 2: value2</RESULTS>
    <STATUS>NEW</STATUS>
</DETECTION>

 

Labels (2)
0 Karma
1 Solution

mbachhav
Path Finder

Problem has been solved with below stanza - 

[stanza name]

TIMESTAMP_FIELDS=dateTime
LINE_BREAKER=(\<DETECTION\s)
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

View solution in original post

0 Karma

aasabatini
Motivator

Hi @mbachhav 

try this props

[<your sourcetype>]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\<DETECTION\>
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

mbachhav
Path Finder

@aasabatini,

I tried the suggested option but it's not working as expected. Data is split into multiple events. 

 

0 Karma

aasabatini
Motivator

Hi @mbachhav 

can you show youe props.conf?

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

mbachhav
Path Finder

 

Below is my props.conf file - 

[stanza]
TIMESTAMP_FIELDS=dateTime
LINE_BREAKER =\<DETECTION\>
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

0 Karma

aasabatini
Motivator

Hi @mbachhav 

 

please can you remove the line_breaker and add this option as told you 

BREAK_ONLY_BEFORE=\<DETECTION\>

 

let me know if works

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

mbachhav
Path Finder

Apologies. First I tried with BREAK_ONLY_BEFORE=\<DETECTION\> but it didn't work hence I tried  line_breaker. 

0 Karma

mbachhav
Path Finder

Problem has been solved with below stanza - 

[stanza name]

TIMESTAMP_FIELDS=dateTime
LINE_BREAKER=(\<DETECTION\s)
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...