Splunk Search

camera log line breaking

twistedsixty4
Path Finder

hey all,
so I'm trying to add our camera system logs to splunk but because of the formatting of the status logs it breaks it at the wrong spot. I've tried to specify custom line breakingg rules in the props file but I must be doing something wrong.

here is a sample log:

Device Status:
 ctime=1392061339.198785
 lcode=1 (NORMAL)
 mcode=1 (NORMAL)
 afpks=009830
 afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288
iscount=64

Latest Data:
isnm=194206
ssnm=4134514
size=165465
Device Status:
ctime=1392061339.198785
lcode=1 (NORMAL)
mcode=1 (NORMAL)
afpks=009830
afius=038551

Device Settings:
name=abc10
type=asd
ctime=1392041485.026564
imgq=86
fps=10
vca=0
apb=0
ptz=0/0/100/50/0
most=-6
cbbytes=33554432
mibytes=524288

splunk keeps trying to break on the "ctime=\d+.\d+" string but a full log runs from the "Device\sStatus:" line to just before the next "Device\sStatus:". so when it breaks on ctime i get twice as many logs with half of the information in each.

under the file match condition heading this is the line i added:

[source::.../status-data/*/*.status]

LINE_BREAKER = (Device\sStatus:)
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE_DATE = false

thanks for the help guys!

0 Karma
1 Solution

somesoni2
Revered Legend

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=

View solution in original post

0 Karma

somesoni2
Revered Legend

Try with this props.conf setting.

[source::.../status-data/*/*.status]
BREAK_ONLY_BEFORE = Device Status
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ctime=
0 Karma

twistedsixty4
Path Finder

this worked perfectly! also i realized that a part of my problem was that i was updating the props file on the forwarder, not the server, oops! thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...