Splunk Search

Need help with a regex for line_breaker in props.conf

mbachhav
Path Finder

Hi,

Need help with regex for LINE_BREAKER attribute in props.conf.

I have the below data and wanted it as a single event in Splunk. Currently, <RESULTS> data splits into multiple events.

I would like to send the entire <DETECTION> tag as a single event. Can someone help me provide the right LINE_BREAKER pattern to be used?

 

<DETECTION>
    <ID>231</ID>
    <TYPE>Information</TYPE>
    <SEVERITY>1</SEVERITY>
    <RESULTS>Line 1 :
 field 1 :  value1
 field 2: value2</RESULTS>
    <STATUS>NEW</STATUS>
</DETECTION>

 

Labels (2)
0 Karma
1 Solution

mbachhav
Path Finder

Problem has been solved with below stanza - 

[stanza name]

TIMESTAMP_FIELDS=dateTime
LINE_BREAKER=(\<DETECTION\s)
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

View solution in original post

0 Karma

aasabatini
Motivator

Hi @mbachhav 

try this props

[<your sourcetype>]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\<DETECTION\>
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

mbachhav
Path Finder

@aasabatini,

I tried the suggested option but it's not working as expected. Data is split into multiple events. 

 

0 Karma

aasabatini
Motivator

Hi @mbachhav 

can you show youe props.conf?

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

mbachhav
Path Finder

 

Below is my props.conf file - 

[stanza]
TIMESTAMP_FIELDS=dateTime
LINE_BREAKER =\<DETECTION\>
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

0 Karma

aasabatini
Motivator

Hi @mbachhav 

 

please can you remove the line_breaker and add this option as told you 

BREAK_ONLY_BEFORE=\<DETECTION\>

 

let me know if works

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

mbachhav
Path Finder

Apologies. First I tried with BREAK_ONLY_BEFORE=\<DETECTION\> but it didn't work hence I tried  line_breaker. 

0 Karma

mbachhav
Path Finder

Problem has been solved with below stanza - 

[stanza name]

TIMESTAMP_FIELDS=dateTime
LINE_BREAKER=(\<DETECTION\s)
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...