Right now, Splunk indexes events that looks like this:
Msg1=... time=... val=... id=... @ Msg2=... time=... val=... id=... @...@ MSgn=... time=... val=... id=...
I want to split each event by the "@" symbol.
Does anybody know what regular expression I should use?
Have you tried LINE_BREAKER = (@)
?
Have you tried LINE_BREAKER = (@)
?
I just did, and it splits the events how I wanted. Thanks!
Great. Please accept the answer.
What about \@
- that would match @ literally. You should probably set it for your sourcetype during "Add Data".
I tried and it's not breaking the events by @ symbol. Any ideas why?
Please post the relevant stanzas from your props.conf and transforms.conf files.
I didn't add/change anything yet. Splunk uses its default configuration, breaking events by line. I want to change that and make it break lines by a symbol, but I do not know how to do that yet. My main concern is what regular expression could I use , because I have different types of events, and their content changes, so I cannot rely on anything but the @ symbol.
Does your content change within the same log file?
Yes, I have only one source for my events.
That makes it slightly more difficult. You'll need to define each of those possibilities, and hope that they don't appear elsewhere in the code.
You should definitely paste relevant samples of your logs into the test box on https://regex101.com/ and see if you can get a capture group to capture all your needed linebreaks (they should look something like `(\@|---) if your second linebreak is supposed to happen on ---). After that, if I were you I'd define a new custom sourcetype and set the "LINE_BREAKER = yourRegex", "SHOULD_LINEMERGE = false" and "pulldown_type = true" so you can select it during "Add Data" and confirm it's working.
You probably want to have a look at http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Createsourcetypes
I will have a look and try what you suggested. Thanks!