Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: PROPS Configuration issues with unstructured E...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have some issues in writing PROPS configuration file for the sample data/events given below. I have given 4 events and each of the events starts with CONNECT. But the word CONNECT has 2 0r 4 of "-" before it and First Line has the time stamp. How I would write following parameters for PROPS configuration file. Any help will be highly appreciated. Thank you so much.
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
TIME_PREFIX =
BREAK_ONLY_BEFORE=
MAX_TIMESTAMP_LOOKAHEAD=20
TIME_FORMAT=%Y-%m-%d %H:%M
Sample Events:
----CONNECT-1007-036807981618-SYS-2021-09-18 09:39
----CHECKPOINT-0000-036807981629-2021-09-18 08:39:07.010344
--ROLLBACK-1007-036807981689DF
--ROLLBACK WORK
--CHECKPOINT-0000-036807981670-2021-09-18 09:39:37.056758
--COMMIT-1001-036807983530-2021-09-18 09:57:33.200259
--COMMIT WORK
--CHECKPOINT-0000-sa2036807983541-er2021-09-145 09:57:4462.998011
--CHECKPOINT-0000-qa4036807983512aa7-21aa021-09-18 09:58:17.469411
--CONNECT-1027-036807981700-dbo-2021-09-18 09:42
----ROLLBACK-1027-036807981723CD
--ROLLBACK WORK
---CONNECT-1029-036807981725-dbo-2021-09-18 09:42
----CHECKPOINT-0000-036807981736-2021-09-18 09:42:26.201026
--ROLLBACK-1029-0368079817AB
--ROLLBACK WORK
--CONNECT-1031-036807981780-dbo-2021-09-18 09:42
----COMMIT-1031-036807981791-2021-09-18 09:42:27.981158
--COMMIT WORK
--ROLLBACK-1031-036807981800
--ROLLBACK WORK
--COMMIT-1001-036807983530-2021-09-18 09:57:33.200259
--COMMIT WORK
--CHECKPOINT-0000-036807983541-2021-09-18 09:57:42.998011
--CHECKPOINT-0000-036807983577-2021-09-18 09:58:17.469411
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, appreciate your support. I used ....What you think about following PROPS Conf ? since it's working as expected. Thank you again.
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=CONNECT
CHARSET=UTF-8
TIME_PREFIX=\-\-CONNECT\-+\d{4}-+\d{12}\-+\w+\-
TIME_FORMAT=%Y-%m-%d %H:%M
MAX_TIMESTAMP_LOOKAHEAD=40
TRUNCATE=3000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
G'day malekmo,
This should get you going with the timestamps and line breaks.
[NEW_SOURCETYPE]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=CONNECT
TIME_PREFIX=(SYS-|dbo-)
MAX_TIMESTAMP_LOOKAHEAD=40
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, appreciate your support. I used ....What you think about following PROPS Conf ? since it's working as expected. Thank you again.
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=CONNECT
CHARSET=UTF-8
TIME_PREFIX=\-\-CONNECT\-+\d{4}-+\d{12}\-+\w+\-
TIME_FORMAT=%Y-%m-%d %H:%M
MAX_TIMESTAMP_LOOKAHEAD=40
TRUNCATE=3000
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
