I am trying to linebreak my text format configuration file into the different events by the controlID. I need help in the linebreaking of my data.
My text configuration looks something like this:
******************************************************************************
* Reading information for ControlID: 999999 *
******************************************************************************
Auditing Enabled: Blah
Audit Process Tracking: Blah
******************************************************************************
* Reading information for ControlID: 999999 *
******************************************************************************
Auditing Enabled: Blah
Audit Account Logon Events: Blah
******************************************************************************
* Reading information for ControlID: 999999 *
******************************************************************************
Auditing Enabled: Blah
Audit Account Management/User and Group Mgmt: Blah
******************************************************************************
* Reading information for ControlID: 999999 *
******************************************************************************
Auditing Enabled: Blah
Audit Logon Events/Logon and Logoff : Blah
The grey lines you see are actually ******** in my text file.
I am rather new to SPLUNK and i urgently need your help in linebreaking my data. I have tried several methods but it doesn't seem to be working for my data.
When i input this file into SPLUNK, it automically breaks my data into events. However, it does not break the events into what i want,it simply selects random lines to break the data,it gives no meanings to the different events.
Please help me! Thank you.
Did you try the following for your sourcetype on your props.conf:
[my_sourcetype]
BREAK_ONLY_BEFORE=(.*\bControlID:.*)
SHOULD_LINEMERGE=true
And one more thing.. Could you help me figure out how do i linebreak this as well?
It is feasible to break [1] from [2] and make them seperate events? While maintaining the linebreak of each ControlID event? And how?
******************************************************************************
* Reading information for ControlID: 999999 *
******************************************************************************
________________________________________________________________________
Object: C:\WINDOWS
Owner: BUILTIN\Administrators
Group: BUILTIN\Administrators
ACL (DACL):
===========
[1]:
BUILTIN\Users
ACE Header Type : 0x0
ACE Header Flags: 0x0
ACE Access Mask : 0x999999
Apply to : [This folder]
Allow
Read Permissions
Read Extended Attributes
Read Attributes
List Folder/Read Data
Traverse Folder/Execute File
[2]:
BUILTIN\Users
ACE Header Type : 0x0
ACE Header Flags: 0xb
ACE Access Mask : 0xn0000000
Apply to : [Subfolders] [Files]
Allow
Read
Execute
It would be much appreciated if you could help me!
Alright. Thanks alot MarioM. I'll create a new question and hopefully someone has a solution.
I am afraid on this one i don't think it will be possible to maintain the linebreak of each ControlID event.
Maybe someone else will have an idea...
You should create a new question
Even better than BREAK_ONLY_BEFORE
( SHOULD_LINEMERGE=true use more resources):
[my_sourcetype]
LINE_BREAKER=([\r\n\-]+)\s+Reading.*
SHOULD_LINEMERGE=false
Hey. Thanks for your answers,greatly appreciated. The first one works better as it correctly breaks the event into the ControlID i need. The second one,however,breaks the "Auditing Enabled: Blah Audit Process Tracking: Blah " section with the ControlID below it,which is not what i want.
Did you try the following for your sourcetype on your props.conf:
[my_sourcetype]
BREAK_ONLY_BEFORE=(.*\bControlID:.*)
SHOULD_LINEMERGE=true