Splunk Search

Need help with a regex for line_breaker in props.conf

mbachhav
Path Finder

Hi,

Need help with regex for LINE_BREAKER attribute in props.conf.

I have the below data and wanted it as a single event in Splunk. Currently, <RESULTS> data splits into multiple events.

I would like to send the entire <DETECTION> tag as a single event. Can someone help me provide the right LINE_BREAKER pattern to be used?

 

<DETECTION>
    <ID>231</ID>
    <TYPE>Information</TYPE>
    <SEVERITY>1</SEVERITY>
    <RESULTS>Line 1 :
 field 1 :  value1
 field 2: value2</RESULTS>
    <STATUS>NEW</STATUS>
</DETECTION>

 

Labels (2)
0 Karma
1 Solution

mbachhav
Path Finder

Problem has been solved with below stanza - 

[stanza name]

TIMESTAMP_FIELDS=dateTime
LINE_BREAKER=(\<DETECTION\s)
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

View solution in original post

0 Karma

aasabatini
Motivator

Hi @mbachhav 

try this props

[<your sourcetype>]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=\<DETECTION\>
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

mbachhav
Path Finder

@aasabatini,

I tried the suggested option but it's not working as expected. Data is split into multiple events. 

 

0 Karma

aasabatini
Motivator

Hi @mbachhav 

can you show youe props.conf?

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

mbachhav
Path Finder

 

Below is my props.conf file - 

[stanza]
TIMESTAMP_FIELDS=dateTime
LINE_BREAKER =\<DETECTION\>
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

0 Karma

aasabatini
Motivator

Hi @mbachhav 

 

please can you remove the line_breaker and add this option as told you 

BREAK_ONLY_BEFORE=\<DETECTION\>

 

let me know if works

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
0 Karma

mbachhav
Path Finder

Apologies. First I tried with BREAK_ONLY_BEFORE=\<DETECTION\> but it didn't work hence I tried  line_breaker. 

0 Karma

mbachhav
Path Finder

Problem has been solved with below stanza - 

[stanza name]

TIMESTAMP_FIELDS=dateTime
LINE_BREAKER=(\<DETECTION\s)
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TZ=UTC
CHARSET=UTF-8
KV_MODE=xml
MAX_EVENTS=50000
TIME_FORMAT=%Y-%m-%dT%H:%M:%SZ

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...