Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SHOULD_LINEMERGE break

rbonetti
Engager
‎01-05-2012 01:31 AM

Hi all,

I would like to break some lines into mutliple events.
The break condition is the time, as you can see below in bold in the log file:

[10:27:21.937] DEBUG [RequestStatusTask] [c.s.t.p.a.c.d.p.DataPrinterWrapper] [onSequenceStatusChanged:758] printer 1 :Sequence State : READY / READY
[10:27:22.500] DEBUG [AskCodeTask] [c.s.t.p.a.c.d.p.DataPrinterWrapper]

I have configured the props.conf, but it doesn't work:

[client_log]
BREAK_ONLY_BEFORE = [\d\d:\d\d:\d\d.\d\d\d]

Thanks for your help.

Tags (1)
0 Karma
Reply

BobM
Builder
‎01-05-2012 07:16 AM

I think you would be better defining the timestamp and telling splunk to break only before a time stamp.

[client_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = \[
TIME_FORMAT = %H:%M:%S.%3N
Reply

MuS
Legend
‎01-05-2012 02:23 AM

Hi rbonetti

your regex matches not only the time string but also some . and numbers later. try the regex without the [ ] eq BREAK_ONLY_BEFORE = \d\d:\d\d:\d\d.\d\d\d this should match only your time string.

cheers

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...