Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SHOULD_LINEMERGE break

rbonetti
Engager
‎01-05-2012 01:31 AM

Hi all,

I would like to break some lines into mutliple events.
The break condition is the time, as you can see below in bold in the log file:

[10:27:21.937] DEBUG [RequestStatusTask] [c.s.t.p.a.c.d.p.DataPrinterWrapper] [onSequenceStatusChanged:758] printer 1 :Sequence State : READY / READY
[10:27:22.500] DEBUG [AskCodeTask] [c.s.t.p.a.c.d.p.DataPrinterWrapper]

I have configured the props.conf, but it doesn't work:

[client_log]
BREAK_ONLY_BEFORE = [\d\d:\d\d:\d\d.\d\d\d]

Thanks for your help.

Tags (1)
0 Karma
Reply

BobM
Builder
‎01-05-2012 07:16 AM

I think you would be better defining the timestamp and telling splunk to break only before a time stamp.

[client_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = \[
TIME_FORMAT = %H:%M:%S.%3N
Reply

MuS
SplunkTrust
SplunkTrust
‎01-05-2012 02:23 AM

Hi rbonetti

your regex matches not only the time string but also some . and numbers later. try the regex without the [ ] eq BREAK_ONLY_BEFORE = \d\d:\d\d:\d\d.\d\d\d this should match only your time string.

cheers

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...