Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

linebreaking for text configuration file format

JeffTanYH
Engager
‎05-01-2012 08:52 PM

I am trying to linebreak my text format configuration file into the different events by the controlID. I need help in the linebreaking of my data.

My text configuration looks something like this:

******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Process Tracking:                                     Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Account Logon Events:                                 Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Account Management/User and Group Mgmt:               Blah 


******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************

Auditing Enabled:                                           Blah
Audit Logon Events/Logon and Logoff :                       Blah

The grey lines you see are actually ******** in my text file.

I am rather new to SPLUNK and i urgently need your help in linebreaking my data. I have tried several methods but it doesn't seem to be working for my data.

When i input this file into SPLUNK, it automically breaks my data into events. However, it does not break the events into what i want,it simply selects random lines to break the data,it gives no meanings to the different events.

Please help me! Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎05-01-2012 11:52 PM

Did you try the following for your sourcetype on your props.conf:

    [my_sourcetype]
    BREAK_ONLY_BEFORE=(.*\bControlID:.*)
    SHOULD_LINEMERGE=true

View solution in original post

Reply
Solved! Jump to solution

JeffTanYH
Engager
‎05-02-2012 12:19 AM

And one more thing.. Could you help me figure out how do i linebreak this as well?

It is feasible to break [1] from [2] and make them seperate events? While maintaining the linebreak of each ControlID event? And how?

******************************************************************************
* Reading information for ControlID:     999999                              *
******************************************************************************


    ________________________________________________________________________
    Object: C:\WINDOWS
    Owner:  BUILTIN\Administrators
    Group:  BUILTIN\Administrators

    ACL (DACL): 
    =========== 
    [1]:
    BUILTIN\Users
    ACE Header Type : 0x0
    ACE Header Flags: 0x0
    ACE Access Mask : 0x999999
    Apply to : [This folder] 
    Allow
        Read Permissions
        Read Extended Attributes
        Read Attributes
        List Folder/Read Data
        Traverse Folder/Execute File
    [2]:
    BUILTIN\Users
    ACE Header Type : 0x0
    ACE Header Flags: 0xb
    ACE Access Mask : 0xn0000000
    Apply to : [Subfolders] [Files] 
    Allow
        Read
        Execute

It would be much appreciated if you could help me!

0 Karma
Reply
Solved! Jump to solution

JeffTanYH
Engager
‎05-02-2012 12:54 AM

Alright. Thanks alot MarioM. I'll create a new question and hopefully someone has a solution.

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎05-02-2012 12:50 AM

I am afraid on this one i don't think it will be possible to maintain the linebreak of each ControlID event.
Maybe someone else will have an idea...
You should create a new question

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎05-02-2012 12:12 AM

Even better than BREAK_ONLY_BEFORE ( SHOULD_LINEMERGE=true use more resources):

[my_sourcetype]
LINE_BREAKER=([\r\n\-]+)\s+Reading.*
SHOULD_LINEMERGE=false
Reply
Solved! Jump to solution

JeffTanYH
Engager
‎05-02-2012 12:30 AM

Hey. Thanks for your answers,greatly appreciated. The first one works better as it correctly breaks the event into the ControlID i need. The second one,however,breaks the "Auditing Enabled: Blah Audit Process Tracking: Blah " section with the ControlID below it,which is not what i want.

0 Karma
Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎05-01-2012 11:52 PM

Did you try the following for your sourcetype on your props.conf:

    [my_sourcetype]
    BREAK_ONLY_BEFORE=(.*\bControlID:.*)
    SHOULD_LINEMERGE=true
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...