Solved: Re: Props.conf and LINE_BREAKER Regex

Drainy · ‎07-21-2011

I have created a regex;

(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

To act as my LINE_BREAKER in the props conf file for an app I am currently working on.
The log data is generated by a script and the length of each event output by the script is variable in length and contents however the first entry is always a timestamp of the format;

13:36:18.680336

In the documentation is the following paragraph;

Wherever the regex matches, Splunk considers the start of the first matching group to be the end of the previous event, and considers the end of the first matching group to be the start of the next event.

From http://www.splunk.com/base/Documentation/Latest/Admin/Propsconf

Now I understand that as meaning that it will interpret my regex, when a match is made it will move to the end of the matched data and count that as the beginning of my event.
Thats not ideal as I really want to keep all the event data, but as a test I tried it and instead it caught all of my event but missed the first two integers of my timestamp like so;

:36:18.680336

I assume its my regex or understanding/implementation thats at fault? Any ideas would be appreciated.

dwaddle · ‎07-21-2011

LINE_BREAKER gobbles the first capture group. You might try this:

([\r\n]+)(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

View solution in original post

dwaddle · ‎07-21-2011

LINE_BREAKER gobbles the first capture group. You might try this:

([\r\n]+)(\d+)(:)(\d+)(:)(\d+)(\.)(\d+)

Props.conf and LINE_BREAKER Regex

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7