Splunk Search

linebreaking for text configuration file format

JeffTanYH
Engager

I am trying to linebreak my text format configuration file into the different events by the controlID. I need help in the linebreaking of my data.

My text configuration looks something like this:

******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Process Tracking:                                     Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Account Logon Events:                                 Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Account Management/User and Group Mgmt:               Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Logon Events/Logon and Logoff :                       Blah 

The grey lines you see are actually ******** in my text file.

I am rather new to SPLUNK and i urgently need your help in linebreaking my data. I have tried several methods but it doesn't seem to be working for my data.

When i input this file into SPLUNK, it automically breaks my data into events. However, it does not break the events into what i want,it simply selects random lines to break the data,it gives no meanings to the different events.

Please help me! Thank you.

0 Karma
1 Solution

MarioM
Motivator

Did you try the following for your sourcetype on your props.conf:

    [my_sourcetype]
    BREAK_ONLY_BEFORE=(.*\bControlID:.*)
    SHOULD_LINEMERGE=true

View solution in original post

JeffTanYH
Engager

And one more thing.. Could you help me figure out how do i linebreak this as well?

It is feasible to break [1] from [2] and make them seperate events? While maintaining the linebreak of each ControlID event? And how?

******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************


    ________________________________________________________________________
    Object: C:\WINDOWS
    Owner:  BUILTIN\Administrators
    Group:  BUILTIN\Administrators

    ACL (DACL): 
    =========== 
    [1]:
    BUILTIN\Users
    ACE Header Type : 0x0
    ACE Header Flags: 0x0
    ACE Access Mask : 0x999999
    Apply to : [This folder] 
    Allow
        Read Permissions
        Read Extended Attributes
        Read Attributes
        List Folder/Read Data
        Traverse Folder/Execute File
    [2]:
    BUILTIN\Users
    ACE Header Type : 0x0
    ACE Header Flags: 0xb
    ACE Access Mask : 0xn0000000
    Apply to : [Subfolders] [Files] 
    Allow
        Read
        Execute

It would be much appreciated if you could help me!

0 Karma

JeffTanYH
Engager

Alright. Thanks alot MarioM. I'll create a new question and hopefully someone has a solution.

0 Karma

MarioM
Motivator

I am afraid on this one i don't think it will be possible to maintain the linebreak of each ControlID event.
Maybe someone else will have an idea...
You should create a new question

0 Karma

MarioM
Motivator

Even better than BREAK_ONLY_BEFORE ( SHOULD_LINEMERGE=true use more resources):

[my_sourcetype]
LINE_BREAKER=([\r\n\-]+)\s+Reading.*
SHOULD_LINEMERGE=false

JeffTanYH
Engager

Hey. Thanks for your answers,greatly appreciated. The first one works better as it correctly breaks the event into the ControlID i need. The second one,however,breaks the "Auditing Enabled: Blah Audit Process Tracking: Blah " section with the ControlID below it,which is not what i want.

0 Karma

MarioM
Motivator

Did you try the following for your sourcetype on your props.conf:

    [my_sourcetype]
    BREAK_ONLY_BEFORE=(.*\bControlID:.*)
    SHOULD_LINEMERGE=true
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...