Re: props.conf forcing a line break after a variab...

smudge797 · ‎07-18-2013

Please help Im new to regex and Im having trouble getting splunk to recognise the end of an event. Below is an example of how splunk is seeing the log files. The domain reference is part of the event before and i need the event to break at the DTG, not at the domain=blah before it.

domain=my.domain.it.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=your.domain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=my.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX
domain=his.funkydomain.uk.com [17/Jul/2013:11:17:03 -0500] remote_host=nn.nnn.nnn.nnn ajax=- http_method=GET url=/pr XXXXXXXXX

gregbujak · ‎07-18-2013

You can use the props.conf LINE_BREAKER attribute. It would look something like:

LINE_BREAKER=( )\[

This implies that the pattern is unique.

The thing to keep in mind is that Splunk has a data preview section that you can play around with. Manager » Data inputs » Files & directories » Data preview

gregbujak · ‎07-23-2013

Hi smudge797, if you are happy with the answer and it works for you, please accept the answer (both for the community and karma hoarding).

smudge797 · ‎07-23-2013

Great thanks gregbujak, I know about the previewer but had no clue about that specific regex. Thanks!

props.conf forcing a line break after a variable word

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation