Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why am I getting "Regex: missing terminating ] for character class" with my line breaking configuration?

a212830
Champion
‎08-11-2015 09:30 AM

Hi,

I am testing a feed, and it appears to be working properly, but I'm getting a "Regex: missing terminating ] for character class" message in the data preview.

Data sample:

07/04 20:49:51:867 [ INFO]  ConnectorStatsAppender[106] -  Connector stats printed in 78 Millis.
07/04 21:09:51:894 [ INFO]  ConnectorStatsAppender[43] - Connector stats.. 

07/04/2015 21:09:51,  Active Users_cache,           11             
07/04/2015 21:09:51,  Total Users_cache,            9942           
07/04/2015 21:09:51,  Active Conversations_cache,   3                     
07/04/2015 21:09:51,  Total Conversations_cache,    7481                  
07/04/2015 21:09:51,  Threads Available_cache,      74                    
07/04/2015 21:09:51,  Total ReviewTokens_cache,     0                     
07/04/2015 21:09:51,  Total Grey-NetTokens_cache,   0

I want to break on each line with the first timestamp formats. So the first line would be an event, and then the second would be a multiline event with all the remaining lines until we get to the next line with the first timestamp format.

Here's my props:

ANNOTATE_PUNCT = false
KV_MODE = auto
LINE_BREAKER=  ([\r\n]+)\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}:\d{3}\s[
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %m/%d %H:%M:%S:%3N
TIME_PREFIX = ^
TRUNCATE = 999999

So far, it looks ok, but I'm getting that error message.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2015 10:07 AM

The LINE_BREAKER line ends with an unmatched and un-escaped left bracket. Changing it to LINE_BREAKER= ([\r\n]+)\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}:\d{3}\s\[ should fix the problem.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...