Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are logs coming up with hyphens/dashes?

jackin
Path Finder
‎02-17-2022 06:29 AM

Can anyone suggest why the logs are coming up like this? I added the monitoring stanza.

Could anyone suggest some troubleshooting steps/solution?

 

jackin_0-1645108093020.png

inputs.conf stanza

[monitor:///opt/netmonitor/LOG/*]
index = osnix
sourcetype = ping_status_log_new
crcSalt = <SOURCE> 

 

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 06:35 AM

Hi @jackin,

The logs you're indexing contain a line separation.

You couls filter it following the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...

in few words:

in props.conf

 

[ping_status_log_new]
TRANSFORMS-null= setnull

 

in transform.conf

 

[setnull]
REGEX = \-{10}
DEST_KEY = queue
FORMAT = nullQueue

 

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-17-2022 06:45 AM

That can also be a separator between events and the events themselves can be multilined.

In such case you'd do something like

LINE_BREAKER = (-{20,}[\r\n])
SHOULD_LINEMERGE = false
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...