Splunk Search

camera log line breaking

twistedsixty4
Path Finder

hey all,
so I'm trying to add our camera system logs to splunk but because of the formatting of the status logs it breaks it at the wrong spot. I've tried to specify custom line breakingg rules in the props file but I must be doing something wrong.

here is a sample log:

Device Status:
 ctime=1392061339.198785
 lcode=1 (NORMAL)
 mcode=1 (NORMAL)
 afpks=009830
 afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288

splunk keeps trying to break on the "ctime=\d+.\d+" string but a full log runs from the "Device\sStatus:" line to just before the next "Device\sStatus:". so when it breaks on ctime i get twice as many logs with half of the information in each.

under the file match condition heading this is the line i added:

[source::.../status-data/*/*.status]

LINE_BREAKER = (Device\sStatus:)
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false

thanks for the help guys!

0 Karma
1 Solution

somesoni2
Revered Legend

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=

View solution in original post

0 Karma

somesoni2
Revered Legend

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=
0 Karma

twistedsixty4
Path Finder

this worked perfectly! also i realized that a part of my problem was that i was updating the props file on the forwarder, not the server, oops! thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...