Splunk Search

camera log line breaking

twistedsixty4
Path Finder

hey all,
so I'm trying to add our camera system logs to splunk but because of the formatting of the status logs it breaks it at the wrong spot. I've tried to specify custom line breakingg rules in the props file but I must be doing something wrong.

here is a sample log:

Device Status:
 ctime=1392061339.198785
 lcode=1 (NORMAL)
 mcode=1 (NORMAL)
 afpks=009830
 afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288

splunk keeps trying to break on the "ctime=\d+.\d+" string but a full log runs from the "Device\sStatus:" line to just before the next "Device\sStatus:". so when it breaks on ctime i get twice as many logs with half of the information in each.

under the file match condition heading this is the line i added:

[source::.../status-data/*/*.status]

LINE_BREAKER = (Device\sStatus:)
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false

thanks for the help guys!

0 Karma
1 Solution

somesoni2
Revered Legend

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=

View solution in original post

0 Karma

somesoni2
Revered Legend

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=
0 Karma

twistedsixty4
Path Finder

this worked perfectly! also i realized that a part of my problem was that i was updating the props file on the forwarder, not the server, oops! thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...