Splunk Search
Highlighted

props.conf for specific log format

SplunkTrust
SplunkTrust

Hi All,

I'd like to create a props.conf for log files in this format:

   DEBUG[ScriptingSession] 2013-11-30 15:52:40.869 EST: <-initialize

Here is what I have so far:

[mwsdebug]
SHOULD
LINEMERGE = false
TIMEPREFIX = ^
TIME
FORMAT=%Y-%m-%d $H:%M:%S.%3N
MAXTIMESTAMPLOOKAHEAD = 50
EXTRACT-mws_debug = "(?[^"]+)","(?[^"]+)","(?[^"]+)"

I think the field extraction is off, but I can't seem to get this to work.

Your help in modifying this stanza will be much appreciated.

Thanks!

Tags (3)
0 Karma
Highlighted

Re: props.conf for specific log format

SplunkTrust
SplunkTrust

The field extraction indeed is off - I don't see any double quotes in the event, but your extraction is full of them.

Does event breaking and timestamping work for you?

Highlighted

Re: props.conf for specific log format

SplunkTrust
SplunkTrust

I would like to use this format if possible.

0 Karma
Highlighted

Re: props.conf for specific log format

Legend

Here is a correct regular expression; as Martin pointed out, it was full of double quotes and was not a valid regex. You should not quote your regular expression, nor should it have internal quotes. I have corrected a few other settings as well.

[mws_debug]
SHOULD_LINEMERGE = false
TIME_PREFIX = \]
TIME_FORMAT=%Y-%m-%d $H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 50
EXTRACT-mws=(?<debug>\S+)\[(?<session>\S+)\]\s+\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+\s(?<status>.*)

View solution in original post

Highlighted

Re: props.conf for specific log format

Legend

Note that the extraction is broken into two lines in the post above, but it must be on a single line in your props.conf

0 Karma